Certificate Management Best Practices Summary

November 25, 2018 | Posted in certificates,security

For more details, please refer to our certificate management document.

Best practices list:

  • Restrict certificate validity to short periods of time
  • Automate certificate renewal/refresh
  • Implement certificate validation/revocation mechanism (OSCP)
  • Do not use self-signed certs
  • Do not use wildcard certs
  • Establish and maintain a complete certificate inventory—you must know where each certificate is deployed, its expiration, etc.
  • Run frequent endpoint/port scans to detect self-signed and other out-of-policy certificates.
  • Go beyond HTTPS endpoints—also scan TCP endpoints, certs on disk, etc.
  • Minimize trust between system components, don’t blindly trust all certs/all CAs
  • Disable trusting to all public CAs by default
  • Use the internal CA for internal communications/calls
  • Implement certificate pinning
  • Implement a comprehensive approach to protecting private keys (passwords, keep the keys separate from public certificates, do not keep keys in the same git repo with the code)
  • Keep certificates outside of docker containers, put them on volumes where they can be easily updated