Posted on 12/07/2018 , Alexander Ananiev,
A keystore file is a database for storing application secrets (private keys), trust certificates and CA chains. Proper keystore management is extremely important for application security.
We’ve compiled a list of keystore-related best practices in our keystore management document.
Here is a brief summary of the document:
- Do not use default keystore files
- Change default keystore passwords
- Update keystore (and keypair) passwords on a frequent basis
- Properly secure your keystore passwords, don’t store them unencrypted
- Keep private keys in a separate keystore file
- Clean up your keystores, get rid of all the expired/unused keys, certs, and CAs
- Do not package keystores inside jar/war files
- Do not package keystores inside Docker containers
- Do not store kystores in the application’s Git repo
- Use different keystore files for different environments
- Use the PKCS12 format
Posted on 11/25/2018 , Alexander Ananiev,
For more details, please refer to our certificate management document.
Best practices list:
- Restrict certificate validity to short periods of time
- Automate certificate renewal/refresh
- Implement certificate validation/revocation mechanism (OSCP)
- Do not use self-signed certs
- Do not use wildcard certs
- Establish and maintain a complete certificate inventory—you must know where each certificate is deployed, its expiration, etc.
- Run frequent endpoint/port scans to detect self-signed and other out-of-policy certificates.
- Go beyond HTTPS endpoints—also scan TCP endpoints, certs on disk, etc.
- Minimize trust between system components, don’t blindly trust all certs/all CAs
- Disable trusting to all public CAs by default
- Use the internal CA for internal communications/calls
- Implement certificate pinning
- Implement a comprehensive approach to protecting private keys (passwords, keep the keys separate from public certificates, do not keep keys in the same git repo with the code)
- Keep certificates outside of docker containers, put them on volumes where they can be easily updated
Posted on 11/08/2018 , Alexander Ananiev,
We're incorporating more security reporting/compliance features into DPBuddy and we're also working on a new product related to certificate management.
As part of this work, we're attempting to compile and aggregate best practices related to certificates and key management.
A lot of it is just common sense, however, as we all know, even simple steps require some effort from developers and security professionals.
We're hoping that our document can be used as a checklist for everyone involved with the application security. We're also planning to automate some if not all of these guidelines in the new version of DPBuddy and in our upcoming new product.
Please review our security best practices document and be sure to register for updates.