.. highlight:: bash .. index:: Certificate management .. _cert_mgmt: Certificate Management ====================== You can use DPBuddy for full life cycle certificate/crypto management, including reporting and deployment. Always follow these best practices with keys/certificates: * Rotate keys and certificates often. This is similar to renewing passwords, it helps contain the damage from any potentially compromised key. Frequent rotation is practical only Very often, a self-signed certificate is issued for a long period of time and then is propagated to many different applications/components. Issue certificates for short period of time, have a good tracking mechanism of certificate expiration Establish strong chain of trust, do not trust each and every server in the network, do not trust the CA. Have an inventory of all the Certificates, be aware how they are stored We recommend using a centralized secret manager as the signle source of truth for all the keys and certificates. Use internal CA for all certificates. Implement a mechanism to quickly revoke/invalidate certificates. This could be done via OSCP/CRL, although it does require implementing an internal CA/OCSP responder. .. _listCerts: ``listCerts`` ------------- ``listCerts`` prints the list of all certificates and their expiration dates residing in the DataPower "cert://" filesystem. .. _certDeployment: Certificate and Key Deployment ------------------------------