Date Published: November 2018
Comments Due: February 18, 2019 (public comment period is CLOSED)
Email Questions to: tls-cert-mgmt-nccoe@nist.gov
Planning Note (1/29/2019):
The comment closing date has been extended to February 18, 2019 (originally Dec. 31, 2018) for preliminary drafts of Volume A (Executive Summary) and Volume B (Approach, Architecture, and Security Characteristics).
Author(s)
Murugiah Souppaya (NIST), William Haag (NIST), Paul Turner (Venafi), William Barker (Dakota Consulting)
Announcement
This project is using commercially available technologies to develop a cybersecurity reference design that demonstrates how to establish, assign, change and track an inventory of Transport Layer Security (TLS) certificates in medium and large enterprises. Improper oversight of TLS server certificates--which can number into the thousands for a single organization--can cause system outages and security breaches, which can result in revenue loss, harm to reputation, and exposure of confidential data to attackers.
We will use this feedback to help shape the latter volumes of this guide, scheduled for release in full (Volumes A,B,C,D) in the spring of 2019. In the interim, organizations can start adopting NIST's recommended best practices surrounding the oversight of large scale TLS server certificates.
This NIST Cybersecurity Practice Guide consists of the following volumes:
- Volume A: an executive-level summary describing the challenge that the TLS Server Certificate Management Project addresses, and a high-level description of the recommended solution;
- Volume B: recommended best practices for large-scale TLS server certificate management;
- Volume C (2019 release): a description of an example automated TLS certificate management solution for preventing, detecting, and recovering from certificate-related incidents, and a mapping of the example solution’s capabilities to the recommended best practices and to NIST security guidelines and frameworks; and
- Volume D (2019 release): a description of how to build this example solution.
The solutions and architectures presented in this practice guide are built upon standards-based, commercially available and open-source products. These solutions can be used by any organization managing TLS server certificates. Interoperable solutions are provided that are available from different types of sources (e.g., both commercial and open-source products).
This NIST Cybersecurity Practice Guide consists of the following volumes: Volume A: an executive-level summary describing the challenge that the TLS Server Certificate Management Project addresses, and a high-level description of the recommended solution; Volume B: recommended best practices...
See full abstract
This NIST Cybersecurity Practice Guide consists of the following volumes:
- Volume A: an executive-level summary describing the challenge that the TLS Server Certificate Management Project addresses, and a high-level description of the recommended solution;
- Volume B: recommended best practices for large-scale TLS server certificate management;
- Volume C (2019 release): a description of an example automated TLS certificate management solution for preventing, detecting, and recovering from certificate-related incidents, and a mapping of the example solution’s capabilities to the recommended best practices and to NIST security guidelines and frameworks; and
- Volume D (2019 release): a description of how to build this example solution.
The solutions and architectures presented in this practice guide are built upon standards-based, commercially available and open-source products. These solutions can be used by any organization managing TLS server certificates. Interoperable solutions are provided that are available from different types of sources (e.g., both commercial and open-source products).
Hide full abstract
Keywords
authentication; certificate; cryptography; identity; key; key management; PKI; private key; public key; public key infrastructure; server; signature; TLS; Transport Layer Security
Control Families
Access Control;
Audit and Accountability;
Configuration Management;
Program Management;
System and Information Integrity;