Certificate Management Best Practices Summary
For more details, please refer to our certificate management document.
Best practices list:
- Restrict certificate validity to short periods of time
- Automate certificate renewal/refresh
- Implement certificate validation/revocation mechanism (OSCP)
- Do not use self-signed certs
- Do not use wildcard certs
- Establish and maintain a complete certificate inventory—you must know where each certificate is deployed, its expiration, etc.
- Run frequent endpoint/port scans to detect self-signed and other out-of-policy certificates.
- Go beyond HTTPS endpoints—also scan TCP endpoints, certs on disk, etc.
- Minimize trust between system components, don’t blindly trust all certs/all CAs
- Disable trusting to all public CAs by default
- Use the internal CA for internal communications/calls
- Implement certificate pinning
- Implement a comprehensive approach to protecting private keys (passwords, keep the keys separate from public certificates, do not keep keys in the same git repo with the code). Please refer to NIST guidelines on key management for more details
- Keep certificates outside of docker containers, put them on volumes where they can be easily updated