Follow FairCom's best practices for CA, client, and server certificates to guard against attacks and prevent outages.
General best practices
- Fill out all the values requested by FairCom's Certificate Manager.
- It allows the FairCom Certificate Manager to create unique, easily identified certificates.
- Avoid outages by renewing and distributing certificates to computers long before they expire.
- When a CA certificate expires, it creates an outage because servers and clients reject all certificates it created.
- When a server certificate expires, the server experiences an outage because clients refuse to connect.
- When a client certificate expires, the client experiences an outage because the server rejects the client's authentication attempt.
- Add appointments to multiple employee calendars to renew certificates long before they expire.
- Give yourself enough time to renew and install certificates on the appropriate computers.
- FairCom's Certificate Manager system organizes certificates into folders named after expiration dates so you can quickly determine when to renew them.
- Renew certificates early.
- You can renew CA, server, and client certificates at any time.
- Proactively renew and distribute CA, client, and server certificates ahead of time to avoid outages and minimize the time an attacker has to compromise certificates.
- Be aware that a secret key always accompanies a certificate.
- FairCom Certificate Manager stores the CA secret key and certificate in separate files. You distribute the CA certificate file and safely lock up the CA secret key file.
- FairCom Certificate Manager stores a server secret key and certificate in the same file that you deploy to a server.
- FairCom Certificate Manager stores a client's secret key and certificate in the same file that you deploy to a client.
CA certificate and secret key files
- Secure the Ca secret key file in a location that attackers cannot compromise.
- If an attacker copies the CA key file, they can create server and client certificates and compromise all systems that use certificates.
- If an attacker copies, destroys, or encrypts the Ca key file, you must replace all your certificates: CA, server, and client.
- Expire CA certificates in 10 years
- Certificates have an expiration date to minimize the time available to an attacker to compromise certificates without your knowledge.
- When a CA certificate expires, you must replace all certificates: CA, server, and client. For this reason, you do not want the CA certificate to expire often.
- Because a CA certificate expires infrequently, you must ensure an attacker never gets the CA key file. If they do, you must replace all your certificates: CA, server, and client.
Server certificate files
- Expire server certificates in 13 months.
- It balances the time available to an attacker to compromise certificates with the work to renew and distribute new server certificates.
- Thirteen months gives you an extra month to renew certificates annually.
- Secure the server containing the server certificate file to help prevent attackers from stealing it.
- Protect this file because it contains the server certificate's secret private key.
- Physically secure the server in a server room that has restricted access.
- Lock down the file system to require elevated privileges to access the server certificate file.
- If an attacker copies the server certificate file, they can create a man-in-the-middle attack. They can install the certificate on another server and change your network configuration to route clients to that server, where they can steal your information.
Client certificate files
- Expire client certificates in 13 months.
- It balances the time available to an attacker to compromise certificates with the work to renew and distribute new server certificates.
- Thirteen months gives you an extra month to renew certificates annually.
- Create a separate client certificate file for each user, device, and software that logs into a FairCom server. Do not create more than one client certificate for each account.
- It allows you to uniquely identify, authenticate, and authorize each client logged into a FairCom server.
- Consider entering a passphrase when the FairCom Certificate Manager prompts you to encrypt the secret key in the client certificate file.
- You do not need a passphrase if the client system is in a secure environment.
- If the client system is insecure, consider using a passphrase.
- A good passphrase increases the security because an attacker who steals the client certificate cannot use it without the passphrase.
- A good passphrase consists of at least 12 characters, a mix of upper and lowercase, numeric, and special characters.
- A passphrase increases complexity because you must configure the client system to use the passphrase. For example, a software vendor can embed the passphrase in its software, or you can embed it in a secure wallet provided by the client software, device, or operating system.