Latest posts by Robert Pearman (see all)
- Automating Remote Desktop Services certificate installation with PowerShell - Thu, Sep 5 2019
- Conditional Access in Office 365 - Wed, Jul 10 2019
- Certificate lifecycle management with Remme Keyhub - Thu, Jun 13 2019
Keyhub from Remme seeks to bridge the gap between manual public key infrastructure (PKI) certificate management and the automated dreamland we all hope to find ourselves in one day.
Keyhub builds a comprehensive list of all certificates in use for a given domain, including subdomains, and displays them in an easy-to-understand dashboard. Its consolidation is a big step forward from the perhaps more traditional spreadsheet-based list of certificate names and expiry dates.
Using publicly available means, like DNS, Certificate Transparency, and in a future release, search engines, Keyhub will query for certificates issued to a given domain and pull the information into an easy-to-navigate dashboard.
The dashboard is broken up to give you a quick overview of your PKI estate allowing you to zero in on upcoming expirations with helpful intervals at 30, 14, and 5 days out and also grouping any currently expired certificates.
It doesn't just evaluate expiry dates though but also calls out certificates using "weak" keys or Secure Hash Algorithm 1 (SHA-1).
Keyhub lets you run certificate discovery on demand or on a schedule and stores configuration for a given domain name in a profile.
The profile contains the target (the domain name), whether to include subdomains, the port numbers (you can enter 443 as a default, additional ports, or ranges), and your schedule settings.
Depending on the plan you are using, you may have the ability to use an "internal" scan that will scan your internal network, as the name suggests. To do this requires a Keyhub agent installed on a device inside your network (Windows or Linux). Unfortunately, this was not available to me in my demo version, although my own internal PKI is not complex enough to warrant using such a tool.
With other features on the horizon like scanning against Secure Shell (SSH), Active Directory user objects, and even mobile device management (MDM) profiles, the roadmap for Keyhub looks interesting. Indeed, another feature due soon is the ability to renew or revoke certificates it has discovered.
You may think this would be a key feature for a tool designed to simplify your PKI infrastructure, but I expect this will require some cooperation from certificate authorities (CAs) to allow secure API access to their services. In any case, the real priority for a tool like this is to make sure you know about renewals in advance rather than needing it to take care of this for you.
Aside from the standard reports, Keyhub also provides custom reporting which allows you to include the parameters that are most relevant for your organization. In addition, you can schedule reports and receive them via email when it is more convenient for you. Remme also plans the support for messengers such as Slack.
Despite its goals and ease of use, I think Keyhub may miss out on small and medium-sized businesses, especially in the managed service provider (MSP) space, due to its pricing. While it certainly fills a need and makes keeping track of your PKI a much easier proposition, at $99 a month for 100 monitored certificates, I think many will stick to using their spreadsheets.
However, I may not be their target market. If they are pitching this to a team of developers supporting countless web properties with certificates all over the place from different CAs, a site going down due to an expired certificate may lose them ad or sales revenue. I can see that a product like Keyhub would be ideal in this scenario.
As for where Keyhub sits when compared to Let's Encrypt or other Automatic Certificate Management Environment (ACME) certificate renewal systems (DigiCert launched their own), the need for monitoring certificate expiration may become moot at some point in the future. But I don't think we are there yet. Even if your entire estate were using ACME, if you are managing PKI at scale, you would still want a status overview whether for compliance or peace of mind, and Keyhub could be the solution.
For now, the solution only tracks certificates, but in the future the company plans to create a platform that supports auto-enrollment. In addition, you will also be able to manage machine identities and track various types of digital keys.