U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

TLS Server Certificate Management

Transport Layer Security (TLS), a widely used cryptographic protocol, depends on TLS certificates, which organizations must deploy along with their corresponding private keys to provide their systems with unique identities that can be reliably authenticated. However, many organizations do not have the ability to centrally monitor and manage their TLS certificates.

Formal TLS server certificate management programs to help large and medium enterprises identify and address their certificate risks

The NCCoE aims to help medium and large-size organizations better manage their TLS server certificates by recommending practices and demonstrating automated example solutions to help organizations prevent, detect, and recover from certificate-related incidents.
Status: Finalized Practice Guide
Complete Guide (HTML)Web Version Complete Guide (HTML)
Complete Guide (PDF)Web Version Complete Guide (PDF)
Executive SummaryDocument Version Executive Summary
Security Risks and Recommended Best PracticesDocument Version Security Risks and Recommended Best Practices
Approach, Architecture, and Security Characteristics Document Version Approach, Architecture, and Security Characteristics
How-To-GuidesDocument Version How-To-Guides

The NCCoE has released the final version of NIST Cybersecurity Practice Guide Special Publication 1800-16, Securing Web Transactions: Transport Layer Security (TLS) Server Certificate Management. For ease of use, the final guide is available to download or read in volumes.

This practice guide can benefit executives, chief Information security officers, system administrators, or anyone who has a stake in protecting his or her organization's data, privacy, and overall operational security.

Project Abstract

Securing web transactions and other communications between clients and servers for organizations is vitally important. This project used commercially available technologies to demonstrate how medium and large enterprises that rely on Transport Layer Security (TLS) can better manage their TLS server certificates by defining policies, establishing certificate inventories, conducting continuous monitoring of certificate operational and security status, and automating certificate management. The example solution can also enable rapid migration to new certificates and keys to address vulnerabilities or compromises.

In June 2020, the NCCoE finalized NIST Special Publication (SP) 1800-16, Securing Web Transactions: TLS Server Certificate Management. Volumes A and B of SP 1800-16 provide enterprises with actionable guidance to help them establish and implement a formal TLS server certificate management program. Volume C explains the approach, architecture, and security characteristics of the example solution demonstrated in the NCCoE laboratory, and Volume D contains the how-to-guides with instructions for building the example solution.

Executive leadership should establish formal TLS server certificate management programs across their enterprises.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Members typically meet monthly by teleconference. Share your expertise and consider becoming a member of this project's COI.

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home