ADSS Web RA: TLS certificate issuance and management

Posted by Mike Hathaway on Oct 30, 2024 11:00:00 AM

Digital certificates touch every aspect of our lives, both personal and business. They are the most secure and transparent way of delivering cryptographic security for information sent over corporate networks and the internet. The best part is that they remain highly secure and completely transparent to us—until they expire.

Some of us are familiar with the padlock that used to appear in your browser's address bar and when the address bar turned green. Now things have moved on, and these visual clues no longer exist.

TLS Certificate Issuance and Management-2

If you want to know that the connection to your bank is secure, click on the button in your browser to see the site information. It will tell you that the connection is secure. Unfortunately, all modern, sophisticated web security is largely transparent.

To ensure web security, certification authorities (CAs) issue digital certificates to website owners. This ensures:

  • High standards
  • Interoperability
  • Good security practices are met

These providers must follow several programs, standards, and audit requirements. This ensures that the digital certificates they issue are recognised and trusted by browsers and operating systems worldwide.

All public CAs must follow these standards to ensure secure and consistent operations. This includes proper:

  • Certificate issuance
  • Management
  • Revocation

Failure to comply could lead to removal from browsers, labelling the CA as untrustworthy for repeatedly violating these standards.

A fundamental part of the web-security issuance process is ensuring that before a trusted digital certificate is issued:

  • Domain-validated (DV) certificates: The business, and person making the request owns the domains and servers where the digital certificate will be used.
  • Organisation-validated (OV) certificates: The business and person making the request are fully identified and vetted, ensuring that the business exists and that the person making the request is entitled to do so.
  • Extended validation (EV) certificates: This is where the maximum amount of verification takes place. EV certificates ensure that the business is who it claims to be as per guidelines set by the CA/Browser Forum. Extra documentation must be provided to issue an EV certificate.

In addition to verifying the various domain security levels and business ownership, there are initiatives to ensure that CAs publish details about the certificates they issue and the domains they are issued to. This process, known as “Certificate Transparency” (CT), is designed to show which public CA issued a certificate to a specific domain or business.

Domain owners can monitor their domain’s certificate issuance and use this to detect mis-issued certificates. CT means mis-issued certificates can be detected quickly and efficiently.

Ascertia's ADSS Web RA Server can help Trust Service Providers (TSPs) deal with some of these complex tasks. It provides the essential tools TSPs need to help with the required validation steps.

What does Web RA support?

EV, OV, and DV validation checks

This ensures certificates are only issued to the enterprise, organisation and domain owner.

Certification Authority Authorisation (CAA) verification

Web RA verifies the CAA Domain Name System (DNS) record to check the CA is allowed to issue a certificate for the domain.

Certificate and CSR Policy enforcement

Web RA checks to ensure that every processed certificate request meets its security policy. This includes:

  • Validating that the key length is among the allowed list permitted by the policy.
  • Verifying the public key is not already used in previously submitted requests or issued, created, or revoked certificates.
  • Verifying the signature algorithms are either RSA or ECDSA.
  • Validating if the certificate signing request (CSR) keys are not generated using Debian Weak keys.
  • Verifying the private key is possessed by the user who generated the CSR.

Publication to CT log servers is part of the issuance process for TLS Certificates with ADSS Server.

Learn more about how Ascertia's ADSS Web RA Server can help your business.