This is very environment dependent, as others have pointed out: I will give you my security/audit/risk management view of the matter.
1) Certificates and the security they bring to a servers communications/application data/credentials, or whatever you are utilizing them for is a security function. 2) The requirement on whether an application/server or computing system utilizes encryption via certificates is a function of both information security and the business requirements, along with risk management function of what are you trying to protect. 3) Having Security control the certificate generation/issuance function and IT/Business apply certs, follows seperation of duties (again some environments won't be able to do this) So to say just put it on IT or put it on the business might be selling things a little short, when Infosec should and must have some skin in the game, whether they want to or not. Sincerely, Ed On Tue, Jul 5, 2016 at 8:06 PM, CESAR.ABREG0 . <[email protected]> wrote: > +1 the application owner, specially on mid large environment where teams > are very segmented. > > Just like an outside cert provider only gives you the cert and the company > engineer needs to configure it keep up the apps and be vigilant of > expiration. > > On Tue, Jul 5, 2016, 5:00 PM Jack Kramer <[email protected]> wrote: > >> The application owner should be responsible if you ask me. It’s an >> awfully high burden to expect the cert management team to become familiar >> with every application which may at some point require a SSL cert. >> >> >> > On Jul 5, 2016, at 6:50 PM, Jonathan Raper <[email protected]> wrote: >> > >> > Hi all, >> > >> > The subject line says it all. I'm trying to work out a point of >> delineation between our apps and infrastructure groups as to who owns >> what....I see certificates as a point of question.... >> > >> > So, what do you all think? For those of you who deal with larger >> environments, who handles the certs? The application team or the >> Infrastructure team? I realize that there are exceptions to every rule, but >> I'm talking in generalities here. I'm not talking about the actual >> generation of the cert, but say you have an app group that has their own >> custom application, and they need a cert. Infrastructure procures it, and >> then hands it over to the apps team to install, or the infrastructure team >> asks where it needs to be installed and then installs it? >> > >> > Case in point - we had an app that broke today because the cert was not >> properly bound to the site in IIS. The Infrastructure team installed the >> cert to the servers in the proper store, and then alerted the apps team >> that it was there....apps team took no action, and did not communicate back >> that they took no action, and so then the infrastructure team took no >> action because the assumption was that it was an apps team responsibility >> once the cert was on the server.....but then the infrastructure team ended >> up fixing it in the end. >> > >> > Thanks, >> > >> > Jonathan >> > NOTE: This message and any attachments is intended solely for the use >> of the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, legally privileged, >> confidential, and/or exempt from disclosure. If you are not the intended >> recipient, you are hereby notified that any use, dissemination, >> distribution, or copying of this communication is strictly prohibited. If >> you have received this communication in error, please notify the original >> sender immediately by telephone or return email and destroy or delete this >> message along with any attachments immediately. >> > >> > >> >>
