Looking for an alternative to Venafi that helps you monitor your certificates to stop downtime and security risk? You’re in the right place.
Here is your definitive comparison guide for Venafi and Red Sift Certificates – one of the most popular Venafi alternatives on the market.
Red Sift Certificates Overview
Red Sift Certificates is a market-leading certificate monitoring application. Red Sift Certificates provides real-time discovery of new certificates and seamless monitoring for misconfiguration, expiration and revocation. While Red Sift Certificates does not issue, renew or revoke certificates, it is used by organizations like Coop, Rakuten, William Fry, and Denic to stop certificate-related outages and security risk.
Red Sift Certificates functionality was previously part of Hardenize. Hardenize was acquired by Red Sift in 2022. The Hardenize team, including founder Ivan Ristic (creator of SSL labs and author of Bulletproof TLS and PKI), joined the Red Sift organization following the acquisition.
Venafi Overview
Venafi TLS Protect Cloud is Venafi’s cloud-based certificate management tool. According to their docs, Venafi TLS Protect “allows certificate administrators to track certificate usage and compliance in their organization, discovering certificates across the enterprise, and eliminating certificate-caused outages by ensuring certificates are renewed before they expire.”
Generally, Venafi documents TLS Protect’s core capabilities around discovery, inventorying and monitoring.
In October 2023, Venafi launched the Venafi Control Plane. This functionality is layered with Venafi TLS Protect Cloud to provide Certificate Lifecycle Management (CLM) capabilities – specifically automated certificate renewal.
It is important to note that these two items are separate products and may have separate pricing, they are frequently used together. For the purposes of this blog, when we say “Venafi” we will be referencing these two products used together.
The comparison tl;dr
While Red Sift Certificates and Venafi can both help teams stop PKI-related security risks and downtime, the two applications go about this in different ways. Red Sift Certificates is a Certificate Monitoring tool while Venafi has full CLM capabilities.
Which tool is right for you depends on your requirements and the problems your team is looking to solve.
Red Sift Certificates gives teams unmatched insight into their certificates to automate inventory, stop misuse, and avoid certificate-related downtime. Because Red Sift Certificates ingests millions of entries each month from certificate transparency (CT) logs, users get unmatched data surfaced in real-time. Red Sift Certificates is deployed within minutes and can easily be integrated with the tools of your choice.
For teams looking to automate all steps across the certificate lifecycle including issuance, renewing and revoking certificates, Venafi is a better alternative. While more time-consuming to deploy and lacking in the granularity of data some teams need, the automation capabilities are often sighted by users as their most loved features.
Let’s get into the nitty-gritty of how these two tools compare 👇
Certificate Discovery
One of the biggest differences between Red Sift Certificates and Venafi is how they discover certificates that belong to an organization. Red Sift Certificates uses fully automated discovery capabilities that layer host monitoring, network monitoring and certificate transparency (CT) log scanning in real-time. Venafi has a combination of internet scanners, TLS log monitoring, and supports internal discovery with user-input search criteria.
Red Sift Certificates: Automated certificate discovery for complete visibility
Red Sift Certificates builds a complete certificate inventory via automated discovery that includes both network scanning and CT log monitoring.
As a first step, Red Sift Certificate automatically builds an inventory of Certificates that are installed on your global network infrastructure. Using a single seed domain, the automated and continuous discovery service will examine all hosts, network ranges, domains and dynamic IP addresses. Red Sift Certificates collects and inventories all certificates encountered during the assessment including SMTP and HTTP, or any other TLS-enabled service. In as little as an hour, a user will see substantial results.
For more comprehensive visibility, users can also connect to cloud accounts including Google Cloud Platform (GCP), Amazon Web Services, and Microsoft Azure. Users can also connect to their preferred Certificate Authorities such as DigiCert and Entrust, and then import certificates and associated metadata directly.
This is the foundation of a comprehensive inventory of all certificates belonging to the user’s organization.
Red Sift Certificates also monitors CT logs in real time to discover all publicly-trusted certificates from any certificate authority (CA). With that, any interested party can audit CAs’ operations as well as keep an eye on the certificates issued for their domain names.
More than 7 billion certificates have been processed by Red Sift Certificates to date. Monitoring of certificates takes place from 10 locations globally to help customers who have distributed networks.
It is important to point out that Red Sift Certificates does not currently support private certificate monitoring. This feature is coming in 2024.
Venafi
According to support documentation, Venafi allows for “multiple types of discovery scans that target internal and external resources.”
For internet-facing assets, Venafi will conduct an internet scan based on the domain a user registered with. When given a domain the application will scan TLS transparency logs to get a list of certificates with the user’s domain name on it. To avoid DOS attacks and other bad behavior, the scanner is limited to scanning only port 443 on the target endpoints. After this initial lookup, steps to resolve the certificates installation locations and validate their configuration are performed. This provides users with an inventory of all certificates, their installation locations, certain configuration aspects plus all certificate metadata.
To identify certificates on a private network, “Private scanners perform scans of private network assets or possibly public internet facing assets when those assets are on ports other than 443 or may be black/white listed to allow only trusted sources…Private scanners do not perform recursive lookups as an internet-domain scan will. Rather, specific endpoints provided as an FQDN, IP or more commonly subnets must be provided.”
It is important to note that discovery capabilities that there are two types of scans for private assets – Basic and Enhanced. Enhanced requires TLS Protect Cloud Premium.
The Basic Scan is powered by a self-contained executable designed to be run in an ad-hoc fashion or via scheduled task/cron job. It is not recommended for long-term use in production.
An Enhanced Scan “performs discovery, but adds validation, SNI lookup support, the ability to push certificates to endpoints, generate private key data, and more.”
Freshness
Data’s like a loaf of bread – great when it’s fresh, but nobody wants it when it’s stale!
There is only value in understanding where your certificates are deployed if that data is fresh. Red Sift Certificates scans in real-time for all customers whereas Venafi allows users to schedule most scans daily, though some of these capabilities are dependent on the tier purchased.
Red Sift: Real-time discovery and validation united
Red Sift Certificates is the only certificate monitoring tool on the market that can ingest CT logs in real-time. By continuously scanning the internet and your network in real-time, users can be sure that information about new, existing and expiring certificates is up to date. This includes information about misconfigured certificate chains.
Newly issued certificates, renewals, and revocations are added and updated in real-time. The certificate chain is validated at least once a day.
As a result, users receive up-to-the-minute email and API notifications about all new certificates, checking installation locations, misconfigurations, and upcoming expirations with all the data needed to prioritize, triage, and remediate.
Venafi
Venafi provides different options for automating discovery and validation.
Discovery
According to the docs, “…the Internet Discovery service schedule is enabled so that the discovery of external certificates is performed automatically. However, you can modify or even disable its schedule.” It is not immediately clear if this automated discovery scan is happening continuously in-real time or if it is on a set cadence.
For private scanning, Enhanced scans run every 24 hours. As mentioned previously, Basic scans run on an ad hoc basis or can be scheduled through cron jobs.
Validation
To ensure a certificate remains valid, Venafi will run a validation scan on each certificate every 24 hours. This includes scanning for both SSL/TLS validation and certificate chain validation. Users are also able to trigger a scan manually at any time.
Taking Action
Red Sift and Venafi go about taking action in two different ways. Red Sift focuses on getting users the best information they need to take the required steps, while Venafi focuses on automation. Both have pros and cons, and deciding which is best comes down to your organization and business problems.
Red Sift: Information to take action and stop outages
Because Red Sift Certificates monitors CT logs, it provides seamless expiration monitoring and detailed deployment information. This information empowers users to take action when issues arise and prevent certificate-related outages.
For expiration monitoring, Red Sift Certificates lists the network endpoints with certificates that have expiry dates that are overdue, critical, or have expired. Users can also export this list as a CSV or a JSON file.
If a user needs to take action to remediate an issue with a certificate, Red Sift Certificate surfaces all of the needed information including the corresponding host, hostname, location, where it was last seen, the expiry date, and certificate number.
For each certificate, a user can see the host name and network location as well as services, ports, and ASN to help speed up prioritization.
This information is surfaced for all discovered certificates – including those issued by another team.
Venafi
Both manual and automated certificate renewal is handled through Venafi Control Plane. This can help users with issuance challenges avoid downtime related to expiring certificates.
Manual Renewal
According to Venafi, “If the right conditions are met, a certificate can be renewed with just a couple of clicks, while maintaining important metadata, such as its associated tags.”
Venafi seemingly offers two paths for manual renewal – a Renew Certificate modal and a Certificate Request wizard.
Venafi states:
“TLS Protect Cloud presents the Renew Certificate modal when the certificate meets the following criteria:
It was issued using Automated Secure Keypair
It is assigned to just one application
The certificate data still complies with the certificate issuing template
If any of these aren’t met, then the Certificate Request wizard opens instead.”
The Certificate Request wizard is a more involved process that requires a 6 step process.
Auto-Renewal
Control Plane Resource Owners are able to set-up auto-renewal for certificates that have an associated certificate signing request (CSR), an expiration date within the configured auto-renewal window, and are associated with one application that has auto-renew enabled.
Users can also rely on this functionality for auto-provisioning.
Integrating with Your Stack
Red Sift: Out-of-the-box integrations and a REST API
Integrations
Red Sift Certificates provides seamless monitoring of all assets and resources that are exposed to the public through third-party integrations, helping you to discover more certificates. These integrations include:
- Cloud computing platforms. Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure.
- Certificate Authorities. DigiCert and Entrust.
- Registrars. CSC, MarkMonitor, and Safenames.
- Content delivery networks (CDNs). Cloudflare.
Once an integration is configured, Red Sift Certificates will check for assets daily, import any new assets that are found and begin monitoring configurations, remove resources that no longer exist in the integration account, and provide information to help understand where these assets originated from.
REST API
For users interested in using the Red Sift Certificates REST API for integration and automation, the docs provide detailed information about how to retrieve information about all your certificates, quickly identify problematic endpoints, subscribe to new certificate events, and manually upload your new certificates to us as they become available.
Venafi
Integrations
Venafi’s docs detail integrations with AWS to provision new certificates in AWS Certificate Manager (ACM) and CyberArk to access credentials stored in a CyberArk vault when performing functions like provisioning certificates to machines.
REST API
Similar to Red Sift Certificates, Venafi also has a REST API to allow for simplified integration and automation. Common use cases include understanding what certificate issuance policies are being enforced, requesting certificates, understanding what certificates have been issued by your organization, and extracting data for custom reports.
So, which one to choose?
Deciding between Red Sift Certificates and Venafi ultimately comes down to the business problems you are looking to solve. To get a better understanding of your PKI estate through continuous intelligence, automation and integration, Red Sift Certificates is the way to go. To solve for issuance and renewal challenges with automation, Venafi can offer a solid path forward.
To see how to build your PKI security, visit the Red Sift Certificates webpage.
