Skip to main content

Concepts

Concepts for certificate management

Abstract

This page describes FairCom's best practices for certificate management.

Use a private certificate authority to secure FairCom servers and clients

FairCom's servers and clients communicate over secure protocols including  HTTPS, WebSocket Secure (WSS), and MQTT Secure (MQTTS). These protocols require clients and servers to use "signed certificates" that identify them as legitimate so that malicious users cannot impersonate them. The best practice for managing and obtaining these signed certificates is to use a "key pair" provided by a certificate authority (CA). The key pair is a private key file and a public certificate file.

You can establish your own private CA to provide a key pair to use when you create your signed server and client certificates. If your company has already set up a private CA, you can skip the "Create certificate authority" step of the tutorials. Contact your security team to obtain a key pair for each of your FairCom servers and for each of your clients. They should also provide you with a copy of your company's CA certificate.

Your private CA is used only inside your company. It is safe and appropriate for you to maintain your own private CA if you follow a few simple guidelines. In contrast, a public CA is used for servers that deliver content to the Internet. Because FairCom servers and clients are only used inside your company's internal network, they can use the certificate file from the key pair that you create for your private CA.

Input your private CA certificate into the key stores of sources such as operating systems, browsers, and programming languages. Once your CA certificate is trusted by these sources, any server or client certificates signed by that CA certificate will also be trusted by those sources.

Certificate manager overview

The tutorials section uses Python scripts to make it easy to create and manage your private CA and associated server and client certificates. These scripts are located in the <faircomInstallationDirectory>/drivers/certificates folder.

You must install Python for tutorial scripts to run.

  • Use createcacert.py to create a CA key file and CA certificate file.  These are self-signed files that form a CA key pair and are referred to as the root certificate. They are the most important parts of a private certificate authority.

  • Use createservercert.py to create a server key file and server certificate file for a specific server you want to secure. These two files are a server key pair and are known as leaf certificates.

    Move the server leaf certificates to the server and configure the server to use services.json.

  • Use importcert.py to import the CA certificate (not the CA key) into the OS keystore for every computer that will connect to the server.  This results in those computers trusting any certificate signed by the CA certificate. This eliminates the need for Google Chrome to display a warning that a server is not trusted.

  • Use createclientcert.py to create client keys and certificates, which are signed by the CA key. These typically work like a username and password

    Note

    NEW 2023-12-04 Client certificates can be created but can only be implemented with the FairCom ISAM interface.

    FairCom will fully support client certificates in a future release.

Advantages of client certificate files

Client certificate files have the following advantages over usernames and passwords:

  • A client certificate file is more secure than a username because a certificate authority signs the username, making it irreputable.

  • A client certificate is more secure than a password because its private key is the password. A private key cannot be brute forced because it is too long and crypto-random. In addition, client software never transmits the private key to the server; instead, the TLS handshake validates it.

  • You can store a client certificate in secure key stores provided by the operating system or certificate management software. File system permissions can also protect a certificate.

  • The organization must sign a client certificate. Malicious attackers cannot falsify a client certificate because they do not have the private CA key that signed it.

  • A client certificate with an encrypted private key provides multi-factor authentication because a client using the certificate must also provide the private key password to decrypt the private key.

  • An organization may optionally assign a client certificate's validity start and end dates to prevent the use of old credentials and the premature use of new credentials.

  • An organization may optionally embed specific IP Addresses or hostnames into a certificate to ensure the certificate is valid only when a client connects from one of those locations.

  • An organization can revoke a certificate to prevent it from being used.

Certificate best practices for FairCom customers

Follow FairCom's best practices for CA, client, and server certificates to guard against attacks and prevent outages.

General best practices

  • Fill out all the values requested by FairCom's Certificate Manager.

    • It allows the FairCom Certificate Manager to create unique, easily identified certificates.

  • Avoid outages by renewing and distributing certificates to computers long before they expire.

    • When a CA certificate expires, it creates an outage because servers and clients reject all certificates it created.

    • When a server certificate expires, the server experiences an outage because clients refuse to connect.

    • When a client certificate expires, the client experiences an outage because the server rejects the client's authentication attempt.

  • Add appointments to multiple employee calendars to renew certificates long before they expire.

    • Give yourself enough time to renew and install certificates on the appropriate computers.

    • FairCom's Certificate Manager system organizes certificates into folders named after expiration dates so you can quickly determine when to renew them.

  • Renew certificates early.

    • You can renew CA, server, and client certificates at any time.

    • Proactively renew and distribute CA, client, and server certificates ahead of time to avoid outages and minimize the time an attacker has to compromise certificates.

  • Be aware that a secret key always accompanies a certificate.

    • FairCom Certificate Manager stores the CA secret key and certificate in separate files. You distribute the CA certificate file and safely lock up the CA secret key file.

    • FairCom Certificate Manager stores a server secret key and certificate in the same file that you deploy to a server.

    • FairCom Certificate Manager stores a client's secret key and certificate in the same file that you deploy to a client.

CA certificate and secret key files

  • Secure the Ca secret key file in a location that attackers cannot compromise.

    • If an attacker copies the CA key file, they can create server and client certificates and compromise all systems that use certificates.

    • If an attacker copies, destroys, or encrypts the Ca key file, you must replace all your certificates: CA, server, and client.

  • Expire CA certificates in 10 years

    • Certificates have an expiration date to minimize the time available to an attacker to compromise certificates without your knowledge.

    • When a CA certificate expires, you must replace all certificates: CA, server, and client. For this reason, you do not want the CA certificate to expire often.

    • Because a CA certificate expires infrequently, you must ensure an attacker never gets the CA key file. If they do, you must replace all your certificates: CA, server, and client.

Server certificate files

  • Expire server certificates in 13 months.

    • It balances the time available to an attacker to compromise certificates with the work to renew and distribute new server certificates.

    • Thirteen months gives you an extra month to renew certificates annually.

  • Secure the server containing the server certificate file to help prevent attackers from stealing it.

    • Protect this file because it contains the server certificate's secret private key.

    • Physically secure the server in a server room that has restricted access.

    • Lock down the file system to require elevated privileges to access the server certificate file.

    • If an attacker copies the server certificate file, they can create a man-in-the-middle attack. They can install the certificate on another server and change your network configuration to route clients to that server, where they can steal your information.

Client certificate files

  • Expire client certificates in 13 months.

    • It balances the time available to an attacker to compromise certificates with the work to renew and distribute new server certificates.

    • Thirteen months gives you an extra month to renew certificates annually.

  • Create a separate client certificate file for each user, device, and software that logs into a FairCom server. Do not create more than one client certificate for each account.

    • It allows you to uniquely identify, authenticate, and authorize each client logged into a FairCom server.

  • Consider entering a passphrase when the FairCom Certificate Manager prompts you to encrypt the secret key in the client certificate file.

    • You do not need a passphrase if the client system is in a secure environment.

    • If the client system is insecure, consider using a passphrase.

    • A good passphrase increases the security because an attacker who steals the client certificate cannot use it without the passphrase.

    • A good passphrase consists of at least 12 characters, a mix of upper and lowercase, numeric, and special characters.

    • A passphrase increases complexity because you must configure the client system to use the passphrase. For example, a software vendor can embed the passphrase in its software, or you can embed it in a secure wallet provided by the client software, device, or operating system.

Secure Hypertext Transfer Protocol (HTTP) is the HTTP protocol running over TLS. It provides secure request-response communications between computers.

WebSocket Secure (WSS)is the secure version of WebSocket. It uses TLS to create secure communications.

Secure Message Queueing Telemetry Transport (MQTTS) is the MQTT protocol running over TLS. It provides secure messaging between computers.

A certificate authority (CA) issues digital identity certificates to identify computers to each other using the TLS protocol. Popular CAs include letsencrypt.org and verisign.com.