Certificate Management Best Practices Summary
For more details, please refer to our certificate management document.
Best practices list:
- Restrict certificate validity to short periods of time
- Automate certificate renewal/refresh
- Implement certificate validation/revocation mechanism (OSCP)
- Do not use self-signed certs
- Do not use wildcard certs
- Establish and maintain a complete certificate inventory—you must know where each certificate is deployed, its expiration, etc.
- Run frequent endpoint/port scans to detect self-signed and other out-of-policy certificates.
- Go beyond HTTPS endpoints—also scan TCP endpoints, certs on disk, etc.
- Minimize trust between system components, don’t blindly trust all certs/all CAs
- Disable trusting to all public CAs by default
- Use the internal CA for internal communications/calls
- Implement certificate pinning
- Implement a comprehensive approach to protecting private keys (passwords, keep the keys separate from public certificates, do not keep keys in the same git repo with the code)
- Keep certificates outside of docker containers, put them on volumes where they can be easily updated