3

Situation:

In our system there are a lot of certificates. Some of them are used to secure HTTPS endpoints. Many more of them are used as a means of authenticating our system to an external system (we integrate with over a dozen of other systems). Some others yet are used to authenticate external systems to our system.

All in all, we have dozens of various certificates lying about all over the place. Most of them are only found in one place - the production server that needs them. Some are checked in source control which we all agree is not a good idea, but nobody has gotten around to fixing that yet. There is no list of all (or any) of them.

Problem(s)(?)

Me and a few other colleagues feel that this is too chaotic. It feels like we should have some sort of registry where they are stored. A central place which lists them all; where you can check which one is going to expire next; and where you can restore them from when the need arises. Occasionally a certificate does expire and nobody notices it until it's too late.

Counter-arguments

Other colleagues feel differently. Most certificates are either automatically renewed (certbot), there are notifications set in our monitoring system (Zabbix), or there are emails from 3rd parties notifying us when they expire and need to be replaced. All certificates are already backed up in the "normal" server backups which simply back up the virtual server image. And if those backups are gone too, we have bigger problems to worry about. In addition, storing the certificates elsewhere reduces security.

Question

Is there some largely agreed upon best practice here? Should we create a central certificate registry or should each certificate be found in one place and only one? Is there perhaps already some software for securely managing a list of certificates?

Vilx-
  • 5,320
  • 4
  • 20
  • 24
  • Please tag an operating system. – John Wu Nov 27 '18 at 02:52
  • @JohnWu - Is it necessary? I think the question is pretty much operating-system agnostic. Sure, specific software recommendations might come with their own system requirements, but in order for this question to be broadly useful, I think it's better to include various options anyway. – Vilx- Nov 27 '18 at 08:03

1 Answers1

1

The industrial standard way to manage secrets and certificates is a Certificate Vault/Secret Store. It is responsible for providing secrets, certificates, etc... to your software when it is needed.

As a benefit, many will alert you to impending expiration, and (mostly) ensure that secrets are secure at rest. Some can even issue temporary credentials, performing rolling updates, and offer many handy automatable features.

Unfortunately not all software is setup to receive such secrets securely, and may require some insecure handling and/or custom integration. It will also add another dependency and point of failure to your system.

So while this has obvious benefits, setting it up poorly will have a negative effect on your systems.

Kain0_0
  • 15,888
  • 16
  • 37