Certificate best practices for FairCom customers

It allows the FairCom Certificate Manager to create unique, easily identified certificates.

When a CA certificate expires, it creates an outage because servers and clients reject all certificates it created.

When a server certificate expires, the server experiences an outage because clients refuse to connect.

When a client certificate expires, the client experiences an outage because the server rejects the client's authentication attempt.

Give yourself enough time to renew and install certificates on the appropriate computers.

FairCom's Certificate Manager system organizes certificates into folders named after expiration dates so you can quickly determine when to renew them.

You can renew CA, server, and client certificates at any time.

Proactively renew and distribute CA, client, and server certificates ahead of time to avoid outages and minimize the time an attacker has to compromise certificates.

FairCom Certificate Manager stores the CA secret key and certificate in separate files. You distribute the CA certificate file and safely lock up the CA secret key file.

FairCom Certificate Manager stores a server secret key and certificate in the same file that you deploy to a server.

FairCom Certificate Manager stores a client's secret key and certificate in the same file that you deploy to a client.

If an attacker copies the CA key file, they can create server and client certificates and compromise all systems that use certificates.

If an attacker copies, destroys, or encrypts the Ca key file, you must replace all your certificates: CA, server, and client.

Certificates have an expiration date to minimize the time available to an attacker to compromise certificates without your knowledge.

When a CA certificate expires, you must replace all certificates: CA, server, and client. For this reason, you do not want the CA certificate to expire often.

Because a CA certificate expires infrequently, you must ensure an attacker never gets the CA key file. If they do, you must replace all your certificates: CA, server, and client.

It balances the time available to an attacker to compromise certificates with the work to renew and distribute new server certificates.

Thirteen months gives you an extra month to renew certificates annually.

Protect this file because it contains the server certificate's secret private key.

Physically secure the server in a server room that has restricted access.

Lock down the file system to require elevated privileges to access the server certificate file.

If an attacker copies the server certificate file, they can create a man-in-the-middle attack. They can install the certificate on another server and change your network configuration to route clients to that server, where they can steal your information.

It balances the time available to an attacker to compromise certificates with the work to renew and distribute new server certificates.

Thirteen months gives you an extra month to renew certificates annually.

It allows you to uniquely identify, authenticate, and authorize each client logged into a FairCom server.

You do not need a passphrase if the client system is in a secure environment.

If the client system is insecure, consider using a passphrase.

A good passphrase increases the security because an attacker who steals the client certificate cannot use it without the passphrase.

A good passphrase consists of at least 12 characters, a mix of upper and lowercase, numeric, and special characters.

A passphrase increases complexity because you must configure the client system to use the passphrase. For example, a software vendor can embed the passphrase in its software, or you can embed it in a secure wallet provided by the client software, device, or operating system.