NetGuard Certificate Lifecycle Manager
Automate the lifecycle management of your security certificates
NetGuard Certificate Lifecycle Manager (NCLM) is a comprehensive solution for the certificate lifecycle management of digital identities. As part of Nokia’s SOAR suite, NetGuard Adaptive Security Operations, NCLM automates the enrollment, renewal, and deployment of public keys and certificates in a centralized, secure and cost-effective way, preventing costly outages and vulnerabilities.
NCLM offers full visibility to the deployed certificate base. It improves network security posture by reducing risks arising from outdated or rogue digital identities. It improves reliability by eliminating service outages due to expired certificates and lowers operational costs through enhanced automation.
Digital certificates are the most common method for both users and machines to secure communication, authentication, and authorization in proven technologies. Enterprises, communication service providers, cloud service providers, and IoT device manufacturers are using certificates as a fundamental building block within their security infrastructure. However, expired certificates can easily lead to costly outages and downtime. While weak and poorly-configured certificates can be used to hijack connections, eavesdrop on network traffic, or manipulate application data.
"54% of security professionals say they don’t even know how many keys and certificates they have, where they are located, or how they are used.”
From the Ponemon Institute, underpinning the need for Certificate Lifecycle Management
NCLM addresses these issues and gives security and operations teams full control over their certificate lifecycle management processes. It allows for seamless integration between various public certification authorities (CAs), such as Entrust, Symantec, or Digicert. In addition support for enterprise PKIs, such as Microsoft CA, Insta Certifier, or Nokia’s NetGuard Certificate Manager.
NCLM is an agnostic solution and provides unified management of every single certificate regardless of the issuing source. It uses an open platform that supports plug-ins, enabling seamless integration with multivendor network elements and devices for centralized, single-step certificate deployment.
Features and benefits
Certificate enrollment: Enroll and renew a certificate on behalf of the target system
- Key pair management (generation and deletion)
- Certificate enrollment and renewal from different certification authorities via a plugin-based mechanism – Supported CAs: MS-CA, Entrust, NCM
- Certificate browsing and filtering
- Manual PKCS#12 import
- Template functionality to pre-populate certificate attributes or enrollment parameters
- Domain/FQDN whitelisting
Certificate deployment: Deploy and install certificates to a target system
- Configuration of deploy mechanism via plugin-based mechanism
- Automated or manual certificate and key installation and activation
- Deployment templates to pre-populate deployment parameters
Certificate monitoring and validation: Enables control of certificate deployment and certificate correctness
- Status view of certificate enrollment and deployment
- Certificate search and filter capabilities
- Customizable email notification for certificate expiry and revocation status
- Granular reporting and alerting
- Customizable certificate metadata for enhanced asset management
- GUI-based log viewer
- Workflow-based certificate enrollment and deployment
- Certificate benchmarking against “gold standard”
Certificate discovery: Ability to scan network ranges for SSL/TSL enabled devices and discover certificate-based services
- Network scans based on IP addresses or IP ranges
- Service scanning and identification
- Automatic import into NCLM for further certificate management
- Email notification and reporting
Active directory integration: Simplified management of PKI users and groups from Microsoft Active Directory
- Active Directory group-based access mapping to target system groups or systems
- Definition of granular access permissions (i.g. read-only, read-write, access to private key) based on user roles
- Role-based access to enrollment and deployment plugin configuration
- “Need to know” principle