The National Cybersecurity Center of Excellence (NCCoE) at NIST recognizes the need to ensure secure communications between clients and servers. To enhance secure communications, the NCCoE has launched a project entitled: TLS (Transport Layer Security) Server Certificate Management. This project will use commercially available technologies to develop a cybersecurity reference design that can be implemented in enterprise environments to reduce outages, improve security, and enable disaster recovery activities related to TLS certificates.
TLS is a broadly used cryptographic protocol that provides authentication and encryption of communications between clients and servers. TLS requires the use of a certificate that contains information about the certificate owner and a corresponding private key. A server using TLS must have a certificate (and the corresponding private key) to authenticate themselves and to establish symmetric keys for encryption. The on-going maintenance of TLS certificates is labor-intensive and can produce erroneous condition(s) if the certificate maintenance is not performed carefully and in a systematic manner.
This project focuses on the management of TLS server certificates in medium and large enterprises that rely on TLS to secure both customer-facing and internal applications. Client certificates may optionally be used in TLS for mutual authentication, but the management of client certificates is outside the scope of this project. This NCCoE project will demonstrate how to establish, assign, change and track an inventory of TLS certificates. It will result in a publicly available NIST Cybersecurity Practice Guide, a detailed implementation guide of the practical steps required to implement a cybersecurity reference design that addresses this challenge.