Skip to main content

Anchor - Certificate Management

Anchor provides comprehensive TLS/SSL certificate discovery and monitoring across your OT sites. Automatically scan networks for certificates, track expiration dates, identify security risks, and maintain compliance with certificate management policies.

How Anchor Works

Anchor continuously monitors your OT environment for TLS/SSL certificates through multiple scan methods:

  1. Discovery Scans: Broad network sweeps to find certificate-enabled services
  2. Targeted Scans: Specific host and port combinations for known services
  3. Scheduled Scans: Recurring scans to track certificate changes over time
  4. Device Correlation: Match certificates to known devices in Manifest

Scan Types and Methods

Discovery Scans

  • Scope: Broad network ranges (192.168.1.0/24, 10.0.0.0/8)
  • Ports: Common TLS ports (443, 993, 995, 465) plus custom ranges
  • Protocol Detection: Automatic service identification and certificate extraction
  • Performance: Optimized for large networks with minimal impact

Targeted Scans

  • Scope: Specific IP addresses and port combinations
  • Use Cases: Critical infrastructure, known certificate services
  • Custom Ports: Support for non-standard TLS implementations
  • Deep Inspection: Extended certificate chain analysis

Scheduled Scans

  • Frequency: Daily, weekly, monthly, or custom cron expressions
  • Automation: Unattended certificate monitoring
  • Change Detection: Automatic alerts when certificates change
  • Historical Tracking: Certificate renewal and replacement history

Default Scan Ports

PortServiceProtocolCommon Use Cases
443HTTPSWeb servicesHMI interfaces, web servers, REST APIs
993IMAPSEmailSecure IMAP email servers
995POP3SEmailSecure POP3 email servers
465SMTPSEmailSecure SMTP email submission

Custom Port Ranges

  • Industrial Protocols: OPC UA (4840), MQTT over TLS (8883)
  • Management Interfaces: SSH (22), SNMP over TLS (10161)
  • Application Specific: Custom HTTPS ports (8443, 9443, 8080)

Certificate Analysis

Certificate Details

For each discovered certificate, Anchor extracts and analyzes:

  • Subject Information: Common Name (CN), Organization, Country
  • Issuer Details: Certificate Authority, signing chain
  • Subject Alternative Names (SANs): Additional hostnames and IP addresses
  • Key Algorithm and Size: RSA, ECDSA, key strength analysis
  • Signature Algorithm: SHA-256, SHA-1, MD5 deprecation warnings
  • Validity Period: Issue date, expiration date, certificate lifetime

Chain Validation

  • Complete Chain: Root CA to end-entity certificate validation
  • Trust Store: Verification against standard and custom CA bundles
  • Intermediate CAs: Missing intermediate certificate detection
  • Cross-Signing: Multiple validation path analysis

Certificate Status Classification

Active Certificates

  • Definition: More than 30 days until expiration
  • Status: Fully operational and valid
  • Monitoring: Regular renewal tracking
  • Alerts: No immediate action required

Expiring Certificates

  • Definition: 30 days or fewer until expiration
  • Status: Requires renewal planning
  • Monitoring: Daily expiration checks
  • Alerts: Email notifications and dashboard warnings

Expired Certificates

  • Definition: Past expiration date
  • Status: Invalid, potential service disruption
  • Monitoring: Immediate attention required
  • Alerts: High-priority notifications

Security Risk Indicators

Self-Signed Certificates

  • Risk: No third-party validation, potential MITM attacks
  • Detection: Issuer equals subject identification
  • Recommendations: Replace with CA-issued certificates
  • Use Cases: Internal development, isolated systems

Weak Key Strength

  • Risk: RSA keys smaller than 2048 bits, vulnerable to factorization
  • Detection: Key algorithm and size analysis
  • Recommendations: Upgrade to RSA 2048+ or ECDSA P-256+
  • Timeline: Industry standard deprecation schedules

Deprecated TLS Versions

  • Risk: TLS 1.0, TLS 1.1, SSLv3 protocol vulnerabilities
  • Detection: Protocol version during TLS handshake
  • Recommendations: Upgrade to TLS 1.2 or TLS 1.3
  • Compliance: PCI DSS, HIPAA, industrial security standards

Organizational Dashboard

Certificate Health Summary

  • Total Certificates: Organization-wide certificate count
  • Health Score: Weighted score based on expiration and security risks
  • Risk Categories: Active, expiring, expired, security risks
  • Trend Analysis: Certificate health over time

Site-Based Grouping

  • Geographic Sites: Physical facility organization
  • Network Segments: Production, DMZ, office networks
  • Service Types: Web services, email, industrial protocols
  • Device Categories: HMIs, PLCs, servers, network equipment

Protocol Distribution

  • HTTPS/Web Services: Web-based interfaces and APIs
  • Email Security: IMAP, POP3, SMTP over TLS
  • Industrial Protocols: OPC UA, secure Modbus, encrypted tunnels
  • Management Protocols: SSH, SNMP, device administration

Device Correlation

Manifest Integration

  • Automatic Matching: IP address and hostname correlation
  • Device Enrichment: Certificate information added to asset records
  • Service Discovery: TLS-enabled services per device
  • Configuration Tracking: Certificate deployment and updates

Multi-Certificate Devices

  • Service Mapping: Multiple certificates per device (web, API, management)
  • Certificate Families: Related certificates with shared characteristics
  • Renewal Coordination: Synchronized certificate replacement

Monitoring and Alerting

Alert Configuration

  • Expiration Warnings: Customizable warning periods (30, 60, 90 days)
  • Security Risk Alerts: Weak keys, deprecated protocols, self-signed certificates
  • Change Notifications: New certificates, renewals, replacements
  • Compliance Alerts: Policy violations, audit requirements

Alert Suppression

  • Temporary Suppression: During maintenance windows
  • Permanent Exceptions: Approved security risks, legacy systems
  • Conditional Rules: Site-specific or device-specific exceptions
  • Bulk Operations: Multi-certificate suppression management

Integration with Other Modules

Manifest Integration

  • Device Correlation: Certificates linked to asset inventory
  • Service Discovery: TLS services added to device profiles
  • Configuration Management: Certificate deployment tracking
  • Lifecycle Management: Certificate renewal as part of device maintenance

Reports Integration

  • Certificate Health Report: Comprehensive certificate status reporting
  • Executive Summary: High-level certificate security posture
  • Compliance Reports: Audit-ready certificate documentation
  • Trend Analysis: Certificate security improvements over time

Gateway Integration

  • Secure Scanning: Gateway-based certificate discovery
  • Network Access: Scan through encrypted tunnels
  • Performance Optimization: Distributed scanning across multiple Gateways

Getting Started with Anchor

  1. Configure Initial Scan

    • Define network ranges for discovery
    • Set scan frequency and scheduling
    • Configure custom ports if needed

  2. Run Discovery Scan

    • Start broad network discovery
    • Monitor scan progress and results
    • Review discovered certificates and services

  3. Analyze Security Posture

    • Review certificate health dashboard
    • Identify expiring and expired certificates
    • Flag security risks and weak configurations

  4. Set Up Monitoring

    • Configure expiration alerts and warnings
    • Set up recurring scans for ongoing monitoring
    • Customize alert thresholds for your environment

  5. Correlate with Assets

    • Link certificates to devices in Manifest
    • Verify service mappings and configurations
    • Update asset records with certificate information

  6. Maintain and Improve

    • Schedule certificate renewals before expiration
    • Replace weak or deprecated certificates
    • Monitor compliance with security policies