Certificate Validity Period Best Practice and other Key Guidelines

ADS! Download JAMB CBT Software Now for FREE!

Certificate Validity Period Best Practice: If you are concerned about the best practices on the certificate validity period, this article should interest you. A certificate has a predefined validity period.

However, in this article, you shall learn about top practices that deal with the certificate validity period. Thus, pay attention as we guide you through.

Certificate Validity Certificate Validity Certificate Validity Certificate Validity

Also, this comprises a start date and time. And an end date and time. Also, an issued certificate’s validity period cannot be changed after certificate issuance.

Recommended Strategy for Determining Certificate Validity Period

The recommended strategy for determining certificate validity periods is to start with the certificates issued to users, computers, services, or network devices by issuing CAs.

However, the main point to remember is that a CA should not issue a certificate that exceeds the remaining lifetime on the CA certificate. Though allowed by the standards, note. This scenario can lead to certificates with remaining validity periods expiring.

The above happens when the issuing CA’s certificate expires. Thus, ensure that the CA has enough remaining lifetime on its certificate to issue certificates with the required validity periods.

Certificate Validity Period Best Practice Good Rule

A good rule of thumb is to make the CA certificate validity period at least twice as long as the maximum validity period of any CA-issued certificates.

However, note. To ensure that the remaining validity period of the policy/issuing CA does not affect the validity period of the issued certificates, you must double the validity period value of the policy/issuing CA to 10 years.

Additionally, to doubling the validity period, note. You can also follow best practices and ensure that the CA renews its CA certificate value at half of the remaining validity period.

Likewise, the validity period of the root CA certificate should be double the validity period of

Amazing Guide on Certificate Validity Period Best Practice

Below are some amazing steps on certificate validity period best practices:

1. Limit the Validity Period

Do not issue certificates for long time periods, renew them often. This is similar to renewing passwords. And it helps limit the damage from any potentially compromised key. Also, the process to refresh keys/certificates must be fully automated.

Otherwise, a frequent renewal cycle is not going to be practical. Many organizations issue internal certificates for 12 or 24 months simply because they have manual and laborious processes to install new certificates. Additionally, this creates a great security risk.

However, should a certificate/key get compromised, note. A perpetrator would be able to use it for a long time. A certificate revocation/OCSP process can help to mitigate this. However, unfortunately, CRL/OCSP is rarely implemented for internal CAs.

2. Implement Validation/Revocation Mechanism

Implement a mechanism to quickly revoke/invalidate certificates. This could be done via OCSP/OCSP stapling, although it does require implementing an internal CA/OCSP responder.

Certificate revocation/CLR can work as well in the internal setting if properly configured. If there no OCSP/revocation mechanism in place, then limit the certificate trust. Do not make all of your components trust a single internal CA that issued all the certificates.

Also, establish the trust at the individual interfaces level (e.g., server A communicates with the server B, so the server A needs to trust the cert from the server B but not its CA).

3. Automate Cert Renewal/Refresh

Automation is the only viable and reliable way to implement a truly secure certificate management processes. Automation allows for frequent certificate/key rotation, easy enforcement of all the certificate policies, full visibility, and control.

An automated process ideally should provide all of the CA functions plus certificate distribution and installation.

The automated installation routine should allow for distributing a particular cert to all the instances (containers, VMs, etc.) constituting a given service.

4. Do not Use Self-Signed Certs

Self-signed certs have no provenance. Anyone can create them. There is no CA to consult the validity of the cert (e.g., via OCSP). It is hard to enforce various policies for self-signed certs, such as the signature type, the key length, etc.

Self-signed certs provide no audit trail and no journaling similar to the ones mandated by Google’s certificate transparency standard.

5. Create/Maintain Certificate Inventory

There are many security scanners that scan ports and pre-defined endpoints. However, it is also important to look inside Java key stores, PEM files, and all the other artifacts containing crypto material that is bundled inside applications and may not be discoverable by a scanning process.

For example, there is no way to identify SSL client certificates just by running an endpoint scanner.

Having a complete inventory of all active certificates/keys, including their location on disk, is extremely important. This allows for efficiently dealing with compromised certs, this is also the first step towards automating the certificate/key management process.

CERTIFICATECERTIFICATECERTIFICATECERTIFICATE

Important Guide on Certificate Validity Period Best Practice

Below are some important guidelines on certificate validity period best practices:

1. Scan Certs Frequently

Many organizations have heavy-weight application/security scanning processes that take a while to run.

The result of the scan is often a voluminous report that takes a while to go through and act upon. Thus the scan runs infrequently.

Certificate scanning on the other hand can be very quick. It can also be paired with the automated refresh process so that the certificates/keys close to their expiration are automatically refreshed.

2. Scan Non-HTTP Endpoints

Many databases and messaging products use TLS over TCP (as opposed to HTTP). This includes SQL Server, Oracle, ActiveMQ, etc.

It’s more difficult to check old TCP endpoints and some security scanners do not have good support for them.

Make sure that you have an inventory of all non-HTTP endpoints and their certificates; their scanning should be part of a regular scanning process.

3. Secure Private Keys

Keys must always be protected by a password. Applications should not store these passwords in plain text.

If you can, use a secret manager, such as HashiCorp Vault, or an alternative to storing your keys. Unfortunately, implementing these products usually takes some effort for application developers.

For Java/JVM-based applications, Keystore files serve as the de-facto “secrets repository” (for better or worse). Please follow our Keystore best practices for the specific recommendations on Keystore management.

4. Secure Root Keys

Root certificates/keys used for issuing other certificates must be guarded with special care; access to these files must be strictly controlled.

5. Minimize Trust

Certificates determine trust relationships between components, at least at the transport level. First and foremost, you need to understand the data flow in our system and regulate trust accordingly.

Granted, it is much easier to deploy an internal CA cert to all services so that all trust all but this is certainly a less secure approach. This approach is advisable only if there is a solid internal certificate validation/revocation process in place.

When certificate deployment is fully automated, point-to-point trust at a service level is easily implemented.

With the above guidelines and steps, you are sure of your certificate validity period best practice. However, if you find this article useful, feel free to share it. Also, you can always visit this web page with great information like this.

CSN Team.

Join Over 3,500 000+ Readers Online Now!

=> FOLLOW US ON INSTAGRAM | FACEBOOK & TWITTER FOR LATEST UPDATES

ADS: KNOCK-OFF DIABETES IN JUST 60 DAYS! - ORDER YOURS HERE COPYRIGHT WARNING! Contents on this website may not be republished, reproduced, redistributed either in whole or in part without due permission or acknowledgement. All contents are protected by DMCA.The content on this site is posted with good intentions. If you own this content & believe your copyright was violated or infringed, make sure you contact us at [[email protected]] to file a complaint and actions will be taken immediately.

Comments (0)

No login