Key and certificate management

Key and certificate management

Recommendations:

  • Use different key pairs to sign and encrypt messages to mitigate information disclosure and tampering attacks.

  • Do not use the public same key in different certificates due to possible substitution (spoofing) attacks.

  • Use secure protocols for dissemination of certificate and revocation information such as LDAP repositories.

  • Update keys and corresponding certificates every three quarters.

  • Provide reliable storage for expired keys that can be used later to retrieve and recover encrypted data.

  • Consider using the OpenStack Anchor - an ephemeral PKI certification system that uses automated issuing rules and short life certificates to mitigate common certificate security issues.