NIST SPECIAL PUBLICATION 1800 -16 Securing Web Transactions TLS Server Certificate Management Includes Executive Summary (A); Security Risks and Recommended Best Practices (B); Approach, Architecture, and Security Characteristics (C); and How -To Guides (D) Mehwish Akram William C. Barker Rob Clatterbuck Brandon Everhart Jane Gilbert William Haag Brian Johnson Alexandros Kapasouris Dung Lam Brett Pleasant Mary Raguso Murugiah Souppaya Susan Symington Paul Turner Clint Wilson DRAFT This publication is available free of charge from: https://www.nccoe.nist.gov/projects/building- blocks/tls- server -certificate -management NIST SPECIAL PUBLICATION 1800 -16 Securing Web Transactions : TLS Se rver Certificate Management Includes Executive Summary (A); Security Risks and Recommended Best Practices (B); Approach, Architecture, and Security Characteristics (C) ; How- To Guides (D) William Haag Murugiah Souppaya NIST Clint Wilson DigiCert Paul Turner Venafi Dung Lam F5 William C. Barker Dakota Consulting Alexandros Kapasouris Symantec Mehwish Akram Brandon Everhart Brian Johnson Brett Pleasant Mary Raguso Susan Symington The MITRE Corporation Rob Clatterbuck Jane Gilbert SafeNet Assured Technologies DRAFT July 2019 U.S. Department of Commerce Wilbur Ross , Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Undersecretary of Commerce for Standards and Technology NIST SPECIAL PUBLICATION 1800 -16A Securing Web Transactions TLS Server Certificate Management Volume A : Executive Summary William Haag Murugiah Souppaya NIST Paul Turner Venafi William C. Barker Dakota Consulting Mary Raguso Susan Symington The MITRE Corporation July 2019 DRAFT This publication is available free of charge from: https://www.nccoe.nist.gov/projects/building- block s/tls-server -certificate -management DRAFT NIST SP 1800- 16A: Securing Web Transactions: TLS Server Certificate Management 1 Executive Summary 1 The internet has enabled rapid, seamless commerce across the globe. Billions of dollars ’ worth of 2 transactions are performed across the internet every day. This is possible only because connections 3 across the internet are trusted to be secure. Transport Layer Security (TLS), a cryptographic protocol, is 4 fundamental to this trust. 5 Organizations leverage TLS to provide the connection security that has enabled today’s unprecedented 6 levels of commerce across the internet. TLS, in turn, depends on TLS certificates. Organizations must 7 deploy TLS certificate s and corresponding private key s to their systems to provide them wi th unique 8 identities that can be reliably authenticated . The TLS certificate enables anybody connecting to a system 9 to know that they are sending their data to the right place. In addition, it also enables establishment of 10 secure connections so that no one in the middle can eavesdrop on communications. 11 Many organizations might be surprised to discover how many TLS certificates they have. A large - or 12 medium -scale enterprise may have thousands or even tens of thousands, each identifying a specific 13 server in their environment. This is because organizations use TLS not only to secure external 14 connections between themselves and their customers over the internet but also to establish trust 15 between different machines inside their own organization and thereby s ecur e internal communications. 16 Even though TLS certificates are critical to the security of both internet -facing and private web services , 17 many organizations do not have the ability to centrally monitor and manage their certificates. Instead, 18 certificate mana gement tends to be spread across each of the different groups responsible for the