I agree with MBS's observations. While I have seen all sorts of configurations across organizations of differing sizes and verticals, the most effective operations (in my view) have come when things like Certs are managed in a central rather than distributed fashion. If you are thinking of how it should be delineated in your environment, be sure to consider procurement, compatibility, and overall accountability. If your apps teams are fully responsible for all things app-related, then that allows some better options for them managing the certs than if they just develop/deploy, but don't manage availability. In short: Don't evaluate SSL/TLS certs in an isolated manner relative to all the other aspects of the technology environment.
Regards, ASB http://XeeMe.com/AndrewBaker On Tue, Jul 5, 2016 7:49 PM, Michael B. Smith [email protected] wrote: Every environment is different, but in most of my clients, the infrastructure team is responsible for certs and they provide a single point of contact for processing CSRs, renewals, expirations, and approvals. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jonathan Raper Sent: Tuesday, July 5, 2016 6:51 PM To: [email protected] Subject: [NTSysADM] Opinion / poll - Certificates - Infrastructure, or Apps? Hi all, The subject line says it all. I'm trying to work out a point of delineation between our apps and infrastructure groups as to who owns what....I see certificates as a point of question.... So, what do you all think? For those of you who deal with larger environments, who handles the certs? The application team or the Infrastructure team? I realize that there are exceptions to every rule, but I'm talking in generalities here. I'm not talking about the actual generation of the cert, but say you have an app group that has their own custom application, and they need a cert. Infrastructure procures it, and then hands it over to the apps team to install, or the infrastructure team asks where it needs to be installed and then installs it? Case in point - we had an app that broke today because the cert was not properly bound to the site in IIS. The Infrastructure team installed the cert to the servers in the proper store, and then alerted the apps team that it was there....apps team took no action, and did not communicate back that they took no action, and so then the infrastructure team took no action because the assumption was that it was an apps team responsibility once the cert was on the server.....but then the infrastructure team ended up fixing it in the end. Thanks, Jonathan NOTE: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
