TLS Server Certificate Management

Transport Layer Security (TLS), a widely used cryptographic protocol, depends on TLS certificates, which organizations must deploy along with their corresponding private keys to provide their systems with unique identities that can be reliably authenticated. However, many organizations do not have the ability to centrally monitor and manage their TLS certificates.

Formal TLS server certificate management programs to help large and medium enterprises identify and address their certificate risks

The NCCoE aims to help medium and large-size organizations better manage their TLS server certificates by recommending practices and demonstrating automated example solutions to help organizations prevent, detect, and recover from certificate-related incidents. This practice guide can benefit executives, chief Information security officers, system administrators, or anyone who has a stake in protecting his or her organization's data, privacy, and overall operational security.
Status: Finalized Guidance

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NIST SP 1800-16: Complete Guide (HTML)Web Version NIST SP 1800-16: Complete Guide (HTML)
NIST SP 1800-16: Complete Guide (PDF)Web Version NIST SP 1800-16: Complete Guide (PDF)
NIST SP 1800-16A: Executive SummaryDocument Version NIST SP 1800-16A: Executive Summary
NIST SP 1800-16B: Security Risks and Recommended Best PracticesDocument Version NIST SP 1800-16B: Security Risks and Recommended Best Practices
NIST SP 1800-16C: Approach, Architecture, and Security Characteristics Document Version NIST SP 1800-16C: Approach, Architecture, and Security Characteristics

Project Abstract

Securing web transactions and other communications between clients and servers for organizations is vitally important. This project used commercially available technologies to demonstrate how medium and large enterprises that rely on Transport Layer Security (TLS) can better manage their TLS server certificates by defining policies, establishing certificate inventories, conducting continuous monitoring of certificate operational and security status, and automating certificate management. The example solution can also enable rapid migration to new certificates and keys to address vulnerabilities or compromises.

In June 2020, the NCCoE finalized NIST Special Publication (SP) 1800-16, Securing Web Transactions: TLS Server Certificate Management. Volumes A and B of SP 1800-16 provide enterprises with actionable guidance to help them establish and implement a formal TLS server certificate management program. Volume C explains the approach, architecture, and security characteristics of the example solution demonstrated in the NCCoE laboratory, and Volume D contains the how-to-guides with instructions for building the example solution.

Read the project description

Executive leadership should establish formal TLS server certificate management programs across their enterprises.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name