![]() ![]() Make sure that any intermediate certificates are installed on your web server to provide browsers with a complete certification path and avoid trust warnings and errors for end users. Install Complete Certificate Chains: End-entity SSL/TLS certificates are generally signed by intermediate certificates rather than a CA’s root key.Make sure all hostnames are covered: Does your certificate cover your site’s domain name both with and without the www prefix? Is there a Subject Alternative Name (SAN) for every domain name the certificate is intended to protect?.Here are some configuration pointers to help get you on track when setting up SSL/TLS on your servers: On the surface, installing an SSL/TLS certificate may seem like a straightforward operation however, there are still many many configuration decisions that must be made to ensure that your web server is fast and secure, and that end users have a smooth experience that is free of browser errors and warnings. If a private key has been (or might have been) compromised, revoke all certificates for this key, generate a new key pair, and issue a new certificate for the new key pair.Automation tools like the ACME protocol are helpful for scheduling frequent certificate renewals. Renew certificates as often as practically possible (at least yearly would be good), preferably using a freshly-generated private key each time.Generate new keys and revoke all certificates for the old keys when employees with private-key access leave the company. Only give access to private keys as needed.A reputable public CA, such as SSL.com, will never offer to generate or handle your private keys unless they are generated in a secure hardware token or HSM and are non-exportable. Never allow a CA (or anyone else) to generate private keys on your behalf. Generate your own private keys on a secure and trusted environment (preferably on the server where they will be deployed or a FIPS or Common Criteria compliant device).Note: for an overview of these two algorithms, please see SSL.com’s article, Comparing ECDSA vs RSA. Once you’ve chosen a CA, you should consider configuring CAA records to authorize it. Keeping your company’s website secure 100% of the time is important, and you need to be able to get a real expert on the phone when things go wrong.Ĭertificate Authority Authorization (CAA)Ĭertificate Authority Authorization (CAA) is a standard to protect websites by designating specific CAs that are permitted to issue certificates for a domain name. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |