| 8 | |
| 9 | == Practice secure PKI management == |
| 10 | |
| 11 | This one is so obvious it's often missed in hardening/security review. Your security system is only as secure as its weakest link, and the PKI is no exception. Practice secure PKI management, safeguard your CA-related passphrases, and ensure you have the level of control and auditing over your PKI infrastructure as suitable for your security needs. |
| 12 | |
| 13 | Some basic principles of secure PKI management can include: |
| 14 | |
| 15 | * Keep the CA PKI on a secure system: |
| 16 | * Limited user login access |
| 17 | * Limited software installed that could compromise the system |
| 18 | * Do not perform CA PKI tasks as root; use a restricted/limited account |
| 19 | * Maintain filesystem controls/access |
| 20 | * Generate private keys on the target system |
| 21 | * As above, do not use root/admin accounts to generate keypairs/requests |
| 22 | * Do not transport private keys, even encrypted ones (attackers can attempt to guess/brute-force passphrases) |
| 23 | * Any passphrase used needs to be shared/transported as well |
| 24 | * When keys are shared, future compromise can't be as easily shown to come from a specific one |
| 25 | * Use secure passphrases |
| 26 | * A copied/stolen encrypted key is no good if the passphrase used to protect it is weak/guessable |
| 27 | * Standard password practices apply, such as not re-using passwords elsewhere |
| 28 | * Use a CRL, and quickly revoke lost/compromised keys |
| 29 | * Generate/use a CRL upfront, even when initially empty (OpenVPN requires a restart to add this option later) |
| 30 | * Ensure holders of issued certificates know to promptly report loss/compromise of private keys |
| 31 | * Have a system in place for revoking certificates and deploying them to live systems |
| 32 | * Consider if clients need a copy of the CRL as well; some considerations: |
| 33 | * multiple servers? |
| 34 | * re-issuance of a compromised server? |
| 35 | * key rollover for other reasons prior to expiry? |