TLS Server Certificate Management

Current Status

This project has entered the build phase. We have selected several technology collaborators who have signed a Cooperative Research and Development Agreement (CRADA; see an example) with the National Institute of Standards and Technology (NIST).

Download the TLS Server Certificate Management project description for full project details.

Summary

The National Cybersecurity Center of Excellence (NCCoE) at NIST recognizes the need to ensure secure communications between clients and servers. To enhance secure communications, the NCCoE has launched a project entitled: TLS (Transport Layer Security) Server Certificate Management. This project will use commercially available technologies to develop a cybersecurity reference design that can be implemented in enterprise environments to reduce outages, improve security, and enable disaster recovery activities related to TLS certificates.

TLS is a broadly used cryptographic protocol that provides authentication and encryption of communications between clients and servers. TLS requires the use of a certificate that contains information about the certificate owner and a corresponding private key.  A server using TLS must have a certificate (and the corresponding private key) to authenticate themselves and to establish symmetric keys for encryption.  The on-going maintenance of TLS certificates is labor-intensive and can produce erroneous condition(s) if the certificate maintenance is not performed carefully and in a systematic manner.

This project focuses on the management of TLS server certificates in medium and large enterprises that rely on TLS to secure both customer-facing and internal applications. Client certificates may optionally be used in TLS for mutual authentication, but the management of client certificates is outside the scope of this project. This NCCoE project will demonstrate how to establish, assign, change and track an inventory of TLS certificates. It will result in a publicly available NIST Cybersecurity Practice Guide, a detailed implementation guide of the practical steps required to implement a cybersecurity reference design that addresses this challenge.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

DigiCert
f5 logo
Symantec logo
Venafi logo