Appendix A List of Acronyms¶

ACME	Automated Certificate Management Environment
AD	Active Directory
ADCS	Active Directory Certificate Services
API	Application Programming Interface
CA	Certificate Authority
CAPI	Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, MS-CAPI, or simply CAPI)
CRL	Certificate Revocation List
CSR	Certificate Signing Request
DevOps	Development Operations
DMZ	Demilitarized Zone
DN	Distinguished Name
DNS	Domain Name System
FIPS	Federal Information Processing Standards
FTPS	File Transfer Protocol Secure
HSM	Hardware Security Module
HTTP	Hypertext Transfer Protocol
HTTPS	Hypertext Transfer Protocol Secure
IETF	Internet Engineering Task Force
IIS	Internet Information Server (Microsoft Windows)
IoT	Internet of Things
IP	Internet Protocol
LDAP	Lightweight Directory Access Protocol
LTM	Local Traffic Manager (F5)
NCCoE	National Cybersecurity Center of Excellence
NIST	National Institute of Standards and Technology
PED	Personal Information Number Entry Device
PKI	Public Key Infrastructure
POP	Post Office Protocol
REST	Representational State Transfer (API)
RMF	Risk Management Framework
RSA	Rivest, Shamir, and Adleman (public key encryption algorithm)
Thales TCT	Thales Trusted Cyber Technologies
SAN	Subject Alternative Name
SCEP	Simple Certificate Enrollment Protocol
SHA-1	Secure Hash Algorithm 1
SNI	Server Name Indication
SP	Special Publication
SPAN	Switched Port Analyzer
SQL	Structured Query Language
SSL	Secure Socket Layer (protocol)
TLS	Transport Layer Security (protocol)
TPP	Trust Protection Platform (Venafi)
URL	Uniform Resource Locator

Appendix B Glossary¶

Active Directory	A Microsoft directory service for management of identities in Windows domain networks.
Application	1. The system, functional area, or problem to which information technology is applied. The application includes related manual procedures as well as automated procedures. Payroll, accounting, and management information systems are examples of applications. (National Institute of Standards and Technology [NIST] Special Publication [SP] 800-16 ). 2. A software program hosted by an information system (NIST SP 800-137).
Application Programming Interface (API)	A system access point or library function that has a well-defined syntax and is accessible from application programs or user code to provide well-defined functionality. (NIST Interagency/Internal Report [IR] 5153)
Authentication	Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources. (NIST SP 800-63-3)
Automated Certificate Management Environment	A protocol defined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 8555 that provides automated enrollment of certificates.
Certificate	A set of data that uniquely identifies an entity, contains the entity’s public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its validity period. (NIST SP 800-57 Part 1 Revision 4 [C1] under Public-Key Certificate) (Certificates in this practice guide are based on ).
Certificate Authority (CA)	A trusted entity that issues and revokes public key certificates. (NISTIR 8149)
Certificate Authority Authorization	A record associated with a Domain Name Server (DNS) entry that specifies the CAs authorized to issue certificates for that domain.
Certificate Chain	An ordered list of certificates that starts with an end-entity certificate, includes one or more CA certificates, and ends with the end-entity certificate’s root CA certificate, where each certificate in the chain is the certificate of the CA that issued the previous certificate. By ascertaining whether each certificate in the chain was issued by a trusted CA, the receiver of an end-user certificate can determine if it should trust the end-entity certificate, by verifying the signatures in the chain of certificates.
Certificate Management	Process whereby certificates (as defined above) are generated, stored, protected, transferred, loaded, used, and destroyed (Committee on National Security Systems Instruction [CNSSI] 4009-2015) (In the context of this practice guide, it also includes inventory, monitoring, enrolling, installing, and revoking).
Certificate Revocation List	A list of digital certificates revoked by an issuing CA before their scheduled expiration date and should no longer be trusted.
Certificate Signing Request (CSR)	A request sent from a certificate requester to a CA to apply for a digital identity certificate. The certificate signing request contains the public key as well as other information to be included in the certificate and is signed by the private key corresponding to the public key.
Certificate Transparency	A framework for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit CA activity and notice the issuance of suspect certificates, as well as to audit the certificate logs themselves (experimental RFC 6962).
Chief Information Officer	An organization’s official who is responsible for (i) providing advice and other assistance to the head of the organization and to other senior management personnel to ensure that information technology (IT) is acquired and that information resources are managed in a manner consistent with laws, directives, policies, regulations, and priorities established by the head of the organization, (ii) developing, maintaining, and facilitating implementation of a sound and integrated IT architecture for the organization, and (iii) promoting the effective and efficient design and operation of all major information resources management processes for the organization, including improvements to work processes of the organization (NIST SP 800-53 Revision 4 adapted). Note: A subordinate organization may assign a chief information officer to denote an individual filling a position with security responsibilities with respect to the subordinate organization that are similar to those the chief information officer fills for the organization to which they are subordinate.
Client	1. A machine or software application that accesses a cloud over a network connection, perhaps on behalf of a consumer. (NIST SP 800-146) 2. A function that uses the public key infrastructure (PKI) to obtain certificates and validate certificates and signatures. Client functions are present in CAs and end entities. Client functions may also be present in entities that are not certificate holders. That is, a system or user that verifies signatures and validation paths is a client, even if it does not hold a certificate itself. (NIST SP 800-15)
Cloud Computing	A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (NIST SP 800-145)
Common Name	An attribute type commonly found within a subject distinguished name in an X.500 directory information tree. When identifying machines, it is composed of a fully qualified domain name or internet protocol (IP) address.
Configuration Management	A collection of activities focused on establishing and maintaining the integrity of IT products and information systems through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle. (NIST SP 800-53 Revision 4)
Container	A method for packaging and securely running an application within an application virtualization environment. Also known as an application container or a server application container. (NIST SP 800-190)
Cryptographic Application Programming Interface (CAPI)	An API included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications by using cryptography. While providing a consistent API for applications, CAPI allows specialized cryptographic modules (cryptographic service providers) to be provided by third parties, such as hardware security module (HSM) manufacturers. This enables applications to leverage the additional security of HSMs while using the same APIs they use to access built-in Windows cryptographic service providers (also known variously as CryptoAPI, Microsoft Cryptography API, MS-CAPI, or simply CAPI).
Cryptography API: Next Generation	The long-term replacement for CAPI.
Demilitarized Zone	A perimeter network or screened subnet separating a more-trusted internal network from a less-trusted external network.
Development Operations (DevOps)	A set of practices for automating the processes between software development and IT operations teams so that they can build, test, and release software faster and more reliably. The goal is to shorten the systems development life cycle and improve reliability while delivering features, fixes, and updates frequently in close alignment with business objectives.
Digital Certificate	Certificate (as defined above).
Digital Signature	The result of a cryptographic transformation of data that, when properly implemented, provides origin authentication, assurance of data integrity, and signatory nonrepudiation. (NIST SP 800-133)
Digital Signature Algorithm	One of the Federal Information Processing Standards (FIPS) for digital signatures based on the mathematical concept of modular exponentiations and the discrete logarithm problem. (FIPS 186-4)
Directory Service	A distributed database service capable of storing information, such as certificates and certificate revocation lists, in various nodes or servers distributed across a network (NIST SP 800-15) (In the context of this practice guide, a directory services stores identity information and enables authentication and identification of people and machines.)
Distinguished Name	An identifier that uniquely represents an object in the X.500 directory information tree. (RFC 4949 Version 2)
Domain	A distinct group of computers under a central administration or authority.
Domain Name	A name owned by a person or organization and consisting of an alphabetical or alphanumeric sequence, followed by a suffix indicating a top-level domain; used as an internet address to identify the location of web pages.
Domain Name Server	The internet’s equivalent of a phone book. It maintains a directory of domain names, as defined by the DNS, and translates them to IP addresses.
Domain Name System (DNS)	The system by which internet domain names and addresses are tracked and regulated as defined by IETF RFC 1034 and other related RFCs.
Elliptic Curve Digital Signature Algorithm	Elliptic Curve Digital Signature Algorithm specified in ANSI X9.62 and approved in FIPS 186.
Enrollment	The process a CA uses to create a certificate for a web server or email user (NISTIR 7682) (In the context of this practice guide, enrollment applies to the process of a certificate requester requesting a certificate, the CA issuing the certificate, and the requester retrieving the issued certificate).
Extended Validation Certificate	A certificate used for https websites and software that includes identity information subjected to an identity verification process standardized by the CA Browser Forum in its Baseline Requirements that verifies the identified owner of the website for which the certificate has been issued has exclusive rights to use the domain; exists legally, operationally, and physically; and has authorized issuance of the certificate.
Federal Information Processing Standards	A standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in IT to achieve a common level of quality or some level of interoperability. (NIST SP 800-161)
Hardware Security Module	A physical computing device that provides tamper-evident and intrusion-resistant safeguarding and management of digital keys and other secrets, as well as crypto-processing. FIPS 140-2 specifies requirements for HSMs.
Host Name	Host names are most commonly defined and used in the context of DNS. The host name of a system typically refers to the fully qualified DNS domain name of that system.
Hypertext Transfer Protocol (HTTP)	A standard method for communication between clients and web servers. (NISTIR 7387)
Internet Engineering Task Force	The internet standards organization made up of network designers, operators, vendors, and researchers that defines protocol standards (e.g., IP, transmission control protocol, DNS) through processes of collaboration and consensus.
Internet Message Access Protocol	A method of communication used to read electronic mail stored in a remote server. (NISTIR 7387)
Internet of Things (IoT)	As used in this publication, user or industrial devices connected to the internet. IoT devices include sensors, controllers, and household appliances.
Internet Protocol	The internet protocol, as defined in IETF RFC 6864, is the principal communications protocol in the IETF internet protocol suite for specifying system address information when relaying datagrams across network boundaries.
Lightweight Directory Access Protocol (LDAP)	In this document, LDAP refers to the protocol defined by RFC 1777, which is also known as LDAP V2. LDAP V2 describes unauthenticated retrieval mechanisms. (NIST SP 800-15)
Microservice	A set of containers that work together to compose an application. (NIST SP 800-190)
Organization	An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements). (NIST SP 800-39) This publication is intended to provide recommendations for organizations that manage their own networks (e.g., that have a chief information officer).
Outage	A period when a service or an application is not available or when equipment is not operational.
Payment Card Industry Data Security Standard	An information security standard, administered by the Payment Card Industry Security Standards Council, for organizations that handle branded credit cards from the major card schemes.
Personal Information Number Entry Device	An electronic device used in a debit-, credit-, or smart card-based transaction to accept and encrypt the cardholder’s personal identification number.
Pivoting	A process where an attacker uses one compromised system to move to another system within an organization.
Post Office Protocol (POP)	A mailbox access protocol defined by IETF RFC 1939. POP is one of the most commonly used mailbox access protocols. (NIST SP 800-45 Version 2)
Private Key	The secret part of an asymmetric key pair that is used to digitally sign or decrypt data. (NIST SP 800-63-3)
Public CA	A trusted third party that issues certificates as defined in IETF RFC 5280. A CA is considered public if its root certificate is included in browsers and other applications by the developers of those browsers and applications. The CA/Browser Forum defines the requirements that public CAs must follow in their operations.
Public Key	The public part of an asymmetric key pair that is used to verify signatures or encrypt data. (NIST SP 800-63-3)
Public Key Cryptography	Cryptography that uses separate keys for encryption and decryption; also known as asymmetric cryptography. (NIST SP 800-77)
Public Key Infrastructure (PKI)	The framework and services that provide generation, production, distribution, control, accounting, and destruction of public key certificates. Components include the personnel, policies, processes, server platforms, software, and workstations used for administering certificates and public-private key pairs, including the ability to issue, maintain, recover, and revoke public key certificates. (NIST SP 800-53 Revision 4)
Registration Authority (RA)	An entity authorized by the CA system to collect, verify, and submit information provided by potential subscribers that is to be entered into public key certificates. The term RA refers to hardware, software, and individuals that collectively perform this function. (CNSSI 4009-2015)
Rekey	To change the value of a cryptographic key being used in a cryptographic system application; this normally entails issuing a new certificate on the new public key. (NIST SP 800-32 under Rekey) (a certificate)
Renew	The act or process of extending the validity of the data binding asserted by a public key certificate by issuing a new certificate (NIST SP 800-32). (The new certificate is typically used to replace the existing certificate, and both certificates typically contain the same subject domain name and subject alternative name information. It is a best practice to generate a new key pair and CSR, i.e., rekey, when renewing a certificate, but re-keying is not required by all CAs. Renewal is typically driven by expiration of the existing certificate but could also be triggered by a suspected private-key compromise or other event requiring the existing certificate to be revoked.)
Replace	The process of installing a new certificate and removing an existing one, so that the new certificate is used in place of the existing certificate on all systems where the existing certificate is being used.
Representational State Transfer	A software architectural style that defines a common method for defining APIs for web services.
Risk Management Framework	The Risk Management Framework, presented in NIST SP 800-37, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. (NIST SP 800-82 Revision 2)
Rivest, Shamir, and Adleman	An algorithm approved in FIPS 186 for digital signatures and in NIST SP 800-56B for key establishment. (NIST SP 800-57 Part 1 Revision 4 )
Root Certificate	A self-signed certificate, as defined by IETF RFC 5280, issued by a root CA. A root certificate is typically securely installed on systems, so they can verify end-entity certificates they receive.
Root Certificate Authority	In a hierarchical PKI, the CA whose public key serves as the most trusted datum (i.e., the beginning of trust paths) for a security domain. (NIST SP 800-32)
Rotate	The process of renewing a certificate in conjunction with a rekey, followed by the process of replacing the existing certificate with the new certificate.
Secure Hash Algorithm 1	A hash function specified in FIPS 180-2, the Secure Hash Standard. (NIST SP 800-89)
Secure Hash Algorithm 256	A hash algorithm that can be used to generate digests of messages. The digests are used to detect whether messages have been changed since the digests were generated. (FIPS 180-4)
Secure Transport	Transfer of information by using a transport layer protocol that provides security between applications communicating over an IP network.
Server	A computer or device on a network that manages network resources. Examples include file servers (to store files), print servers (to manage one or more printers), network servers (to manage network traffic), and database servers (to process database queries). (NIST SP 800-47)
Service Provider	A provider of basic services or value-added services for operation of a network; generally refers to public carriers and other commercial enterprises. (NISTIR 4734)
Simple Certificate Enrollment Protocol (SCEP)	A protocol defined in an IETF internet draft specification that is used by numerous manufacturers of network equipment and software that are developing simplified means of handling certificates for large-scale implementation to everyday users, as well as referenced in other industry standards.
Simple Mail Transfer Protocol	The primary protocol used to transfer electronic mail messages on the internet. (NISTIR 7387)
Special Publication	A type of publication issued by NIST. Specifically, the Special Publication 800 series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. The 1800 series reports the results of National Cybersecurity Center of Excellence demonstration projects.
Subject Alternative Name	A field in an X.509 certificate that identifies one or more fully qualified domain names, IP addresses, email addresses, uniform resource identifiers, or user principal names to be associated with the public key contained in a certificate.
System Administrator	Individual responsible for installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established information assurance policy and procedures. (CNSSI 4009-2015)
Team	A number of persons associated together in work or activity (Merriam-Webster). As used in this publication, a team is a group of individuals that has been assigned by an organization’s management the responsibility to carry out a defined function or set of defined functions. Designations for teams as used in this publication are simply descriptive. Different organizations may have different designations for teams that carry out the functions described herein.
Transport Layer Security (TLS)	An authentication and security protocol widely implemented in browsers and web servers. TLS is defined by RFC 5246 and RFC 8446.
Trust Protection Platform	The Venafi Machine Identity Protection platform used in the example implementation described in this practice guide.
User Principal Name	In Windows Active Directory, this is the name of a system user in email address format, i.e., a concatenation of user name, the “@” symbol, and domain name.
Validation	The process of determining that an object or process is acceptable according to a predefined set of tests and the results of those tests. (NIST SP 800-152)
Web Browser	A software program that allows a user to locate, access, and display web pages.

Appendix C References¶

C1: E. Barker, Recommendation for Key Management: Part 1: General, NIST SP 800-57 Part 1, Revision 4, Gaithersburg, Md., Jan. 2016. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf.
C2: E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.3, Internet Engineering Task Force, Apr. 2006. Available: https://www.ietf.org/rfc/rfc4346.txt.
C3: Executive Office of the President, Office of Management and Budget (OMB), Managing Federal Information as a Strategic Resource, OMB Circular A-130, July 28, 2016. Available: https://www.federalregister.gov/documents/2016/07/28/2016-17872/revision-of-omb-circular-no-a-130-managing-information-as-a-strategic-resource.
C4: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, NIST, Gaithersburg, Md., Apr. 16, 2018. Available: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
C5: Joint Task Force Transformation Initiative, Guide for Conducting Risk Assessments, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Revision 1, Gaithersburg, Md., Sept. 2012. Available: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final.
C6: Joint Task Force Transformation Initiative, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST SP 800-37 Revision 2, Gaithersburg, Md., Dec. 2018. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf.
C7: Joint Task Force Transformation Initiative, Security and Privacy Controls for Information Systems and Organizations, Draft NIST SP 800-53 Revision 5, Gaithersburg, Md., Aug. 2017. Available: https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf.
C8: M. Georgiev et al., “The most dangerous code in the world: validating SSL certificates in non-browser software,” Proceedings of the 2012 ACM conference on Computer and Communications Security, 2012, pp. 38–49. Available: http://doi.acm.org/10.1145/2382196.2382204.
C9: NIST Computer Security Resource Center Risk Management Framework guidance [Website]. Available: https://csrc.nist.gov/projects/risk-management/risk-management-framework-quick-start-guides.
C10: P. Grassi et al., Digital Identity Guidelines, NIST SP 800-63-3, Gaithersburg, Md., June 2017. Available: https://csrc.nist.gov/publications/detail/sp/800-63/3/final.
C11: T. Dierks and E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.2, Request for Comments 5246, Internet Engineering Task Force, Aug. 2008. Available: https://www.ietf.org/rfc/rfc5246.txt.
C12: U.S. Department of Commerce, Security Requirements for Cryptographic Modules, FIPS Publication 140-2, (including change notices as of Dec. 3, 2002), May 2001. Available: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf.
C13: U.S. Department of Commerce, Standards for Security Categorization of Federal Information and Information Systems, FIPS Publication 199, Feb. 2004. Available: https://csrc.nist.gov/publications/detail/fips/199/final.
C14: W. Polk. et al, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, NIST SP 800-52 Revision 1, Gaithersburg, Md., Apr. 2014. Available: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf.