Active Certificate Analysis

Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.

How it works

Analysis of server certificates using active methods to detect if certificates have been misconfigured or spoofed by using elements of the certificate, certificate authorities and signatures.

Certificate validity analysis

This can be accomplished by verifying the digital signature on certificate.

Certificate path analysis

The client's browser can perform path verification to ensure that the server's certificate contains a valid trust anchor.

Certificate configuration analysis

Some browsers can be configured to implement the key-usage extensions contained certificates. This can help to prevent a certificate from being misused.

Certificate revocation status analysis

Using either Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) to determine the revocation status. OCSP Stapling, binding the status with the certificate, helps to mitigate potential delay in status verifications.

Considerations

• Management of the PKI across the enterprise typically requires automation to maintain scalability and flexibility
• If the certificate authority, issuing the certificate, is compromised then all of the certificates issued by the CA are suspect
• There may be delays associated with updates to certificates
• Revoked certificates give the appearance of valid certificates until they are published to a trusted revocation service (OCSP or CRL)
• The revocation service (OCSP or CRL) may be down during our connection and a browser will need to make a decision will need to be made about trusting the connection