In my role at Smallstep, I talk to many people trying to do many different things with certificates. I’ve had over a hundred conversations in the last few months alone. We speak to SREs, Developers, Operators, and occasionally security pros. It’s a very technical audience that we affectionately call PKI Nerds. The conversations quickly dive into a particular certificate use case and how our tooling might address the problem. It’s a very cool perspective. I’m invited into discussions across a broad range of topics and get to see the flexibility certificate management toolchains deliver.
With our friends at Let’s Encrypt, we conducted a Certificate Management survey in December of 2020. The results reflect the reality that we hear in conversations every day. Internal PKI continues to be essential but struggles with modern practices. Instead, many rely on manual issuance and legacy platforms. There is hope. Our survey results show high interest in developer-friendly tooling from HashiCorp and Smallstep. We also see automated certificate management protocols like ACME starting to gain a foothold in internal PKI deployments. This year, over 70 participants completed the survey from a mix of all company sizes and employment backgrounds using many well-known tools.
Two legacy offerings lead the industry in adoption, with OpenSSL at 60% usage and Active Directory Certificate Services (ADCS) in use by a third of our participants (green color). Consideration of new tools (dark blue) aligns with the overall market momentum towards open source and developer-focused tools. About half of the respondents are considering using
step-ca, with another 41% looking at HashiCorp Vault. In the “need’s help catagory” are the three largest vendors in the survey: Microsoft ADCS, Amazon ACM PCA, and Google CAS. Over a third of the respondents viewed this group as not an option (yellow).
Securing Internal Services
VPNs are still the primary way of securing internal services, with about half of the respondents using VPN tunnels. Interesting to see 30% of the respondents use insecure or one platform approaches (42%). Time to upgrade that security posture!
With all the industry noise around service mesh and the long history of PKI for IT, it was surprising to see 37% of our respondents not using any form of internal PKI.
Managing Internal Certificates
There continues to be room for improvement when it comes to internal certificate management. Manual processes are the dominant way to distribute certificates, and we all know this approach is expensive and error-prone. While legacy automation tools like SCEP continue to exist, the market is moving on to newer methods. Again we see open-source and developer-friendly options gaining in adoption, as shown by a combined 68% of respondents using either ACME or Let’s Encrypt.
Internal Use Cases Keep Coming
We surveyed users about plans for certificate usage, and mTLS is the most common implementation. With 30% using certificates today and another 26% with an active 2021 project, mTLS continues to be a corporate priority. At the other end of the spectrum is Document Signing, with over half the respondents indicating they have no plans for this use case.
Linux rules the new project backlog for certificates, with 71% of our respondents starting a project in the next twelve months. Related, we see over half the responses targeting certificates to services (largely running on Linux servers). SSH certificates are also on the radar for many of the respondents, with 58% indicating they are ready to get rid of the pain around managing SSH keys in 2021. Service Mesh is the laggard in this list, with only 21% indicating that a new project is starting around this technology.
If you are working on internal PKI and feel a bit overwhelmed, you are not alone. It’s one of those projects that nobody wants to get wrong. There also seems to be confusion around best practices as many vendors want you to pay for their expertise and experience. We believe open-source and open conversations are the best way to educate people on certificate management toolchains and best practices. We often hear that our blog posts are ‘the best resource available’ on these topics (you can subscribe to updates below). If you are just getting started check out our Everything PKI blog post, or this video. We also welcome private conversations on your certificate project. We are here to help, so tell us what’s on your mind.