Key and certificate management

Key and certificate managementΒΆ


  • Use different key pairs to sign and encrypt messages to mitigate information disclosure and tampering attacks.
  • Do not use the public same key in different certificates due to possible substitution (spoofing) attacks.
  • Use secure protocols for dissemination of certificate and revocation information such as LDAP repositories.
  • Update keys and corresponding certificates every three quarters.
  • Provide reliable storage for expired keys that can be used later to retrieve and recover encrypted data.
  • Consider using the OpenStack Anchor - an ephemeral PKI certification system that uses automated issuing rules and short life certificates to mitigate common certificate security issues.