Server certificate best practices

Prioritize tenant-generated private keys: Whenever possible, use the feature for generating private keys within the tenant. This significantly reduces the risk of private key leakage as the key never leaves the secure tenant environment, aligning with the principle of secure key storage.

Secure locally generated private keys: If operational requirements necessitate using your own private keys, implement robust security measures. This includes storing private keys in Hardware Security Modules (HSMs) for enhanced protection and ensuring strict access controls with detailed audit trails.

Use strong cryptography: Always select strong encryption algorithms (for example, RSA 2048-bit or higher, or appropriate ECDSA curves) and key sizes when generating CSRs. Regularly review and update your cryptographic standards as new vulnerabilities emerge or best practices evolve.

Build complete certificate chains: Always ensure you construct a complete PEM-formatted certificate chain, including your signed certificate, any intermediate CA certificates (in the correct order), and the root CA certificate. Incorrect chain order can lead to trust validation failures.

Proactive expiration monitoring: Establish a proactive system for monitoring certificate expiration dates. Leverage the "Expires Soon" status in the admin console and consider implementing external alerts to ensure renewals are initiated well in advance (for example, 30 - 90 days prior to expiration).

Generate new key pairs for renewals: When renewing a certificate, always generate a new private key and CSR. Reusing private keys significantly increases the security risk if the original key is ever compromised.

Regular audits: Conduct periodic audits of your SSL configurations to identify any certificates nearing expiration, those that are no longer in use, or any anomalies that could indicate a security concern.

Controlled activation/deactivation: Follow established change management procedures when activating or deactivating certificates in a production environment to prevent service disruptions.

Prompt deletion: Delete pending CSRs or complete certificates that are no longer needed to maintain a clean and manageable inventory and reduce potential confusion.

Principle of least privilege (PoLP): Grant only the minimum necessary scopes to service accounts involved in certificate management.

Automate where possible: While manual steps are outlined, explore the automation of certificate lifecycle management tasks for large-scale deployments or environments requiring high agility.

Security awareness: Ensure all personnel involved in certificate management understand the critical importance of certificate security, proper private key handling, and the potential impact of mismanagement.