Work with certificates professionally

29 Oct 2021 | Jindřich Zechmeister

Last year, an incredible 60% of companies had to face the consequences of incorrect certificate handling. The installed certificate affects other applications and services on the given server and if it is used incorrectly, they can logically fail. In the following article, we will advise you on how to work with the certificate, because the administration does not end with its installation. With a few tips, you can avoid becoming part of the unhappy statistics while maximizing the security that the certificate brings you.

Keep track of all your certificates

Check which certificates you have deployed and online. The amount may surprise you; let's not forget the less prominent certificates for subdomains, mail servers, or internal purposes. To avoid trying to remember the issued certificates, use the so-called network scanner, through which you can immediately get a list of certificates available in your network. There are many scanners available online, try for example Cryptonice, you can find detailed instructions for it online.

The tools in your SSLmarket customer account will also help you keep up with the certificates. Here you can download an overview of all certificates issued and set up notifications about their expiration, which we can send you by email or text message. You can also find our online calendar, an individual one for each account, which can be added to your mobile or desktop and you can find any event related to the certificate in it.

Insure your contact persons

It can easily happen that an employee listed in the certificate order as authorization as well as a technical person leaves your company. The certification authority will then have no one to notify of an impending expiration or other event, and the certificate may expire without your knowledge, for example. The easiest solution is to distinguish between the authorization and technical person in the order and set up the certificate expiration information to both contacts in the SSLmarket account management. You can even add other email addresses that we will contact and which are not related to the persons listed in the order.

Pay attention to Wildcard certificates

It is well known that one Wildcard certificate can be used for both the main domain and an unlimited number of its subdomains. But what if the private key is stolen? Attackers will then be able to easily exploit the compromised certificate for any site in the domain the certificate was issued for.

Another drawback of Wildcard is that in case it is compromised, it is necessary to revoke and reissue all the copies deployed on subdomains. Therefore, because of these scenarios, Wildcard certificates cannot be issued as EVs, the best prevention is to issue each copy of the certificate with a different private key. In SSLmarket administration, where you can generate an unlimited number of keys and reissue the certificate with them, it's easy and free.

Check the default certificates

On Plesk, for example, but also on other systems, you will find so-called default certificates. These certificates are typically self-signed and not trusted by browsers; they were not even intended for production use. These certificates need to be deleted and replaced with a trusted SSL /TLS certificate. Check in our tool, whether the default certificate does not block the correct SSL/TLS certificate’s installation.

Keep your server settings up to date

It is easy. The following SSL/TLS protocol versions are obsolete and vulnerable, please deactivate them:

  • SSL v2
  • SSL v3
  • TLS 1.0
  • TLS 1.1

Activate TLS 1.2 and TLS 1.3 instead.

Cipher suites to deactivate:

  • DES
  • 3DES
  • RC

The certificate will only work properly on a web server that supports the current SSL/TLS versions and cipher suites. If you can, turn on http/2 and future http/3 protocols as well. Together with TLS 1.3, this speeds up encrypted traffic. We strongly recommend the SSL Configuration Generator as a guide for configuration settings.

Take care of the private key

When operating with a private key, definitely do not regret the time you invest in its secure storage or in its further management, for which we recommend:

Renewing the certificate with a new key pair. Do not renew it with the original CSR, as this will automatically recycle the original private key.

If the authorization or technical person leaves the company, request a certificate reissue with a new private key.

If you want to send files with a certificate or private key by email, then only encrypted. Mail encryption is enabled by S/MIME certificates, which we will be happy to help you with.

Set up a CAA record

Certificate Authority Authorization is a type of DNS record that defines the certification authorities that can issue certificates to the domains listed in the record. From 2017, all CAs must follow the CAA record. Set up a CAA record for your domains, because, without a CAA record set up, any CA can issue a certificate for your domain. You will find out how to do this in our article.

A tip at the end

Do not be afraid to use ECC cryptography, it will speed up the communication between the server and the client. ECC cryptography uses keys based on elliptic curves and support for these keys is now seamless, it is even a part of all offered certificates with SSLmarket.

And what next?

You can find current recommendations (so-called best practices) at https://www.ssllabs.com/projects/best-practices/index.html

Other aspects of server security and practical tests are on SSLlabs.com.

We believe that with our tips you can easily improve your certificate management and get the most out of them. Of course, we will be happy to help you with any step, just contact us.

Source:

https://www.digicert.com/security/tls-best-practice