Certificates for Transport Level Security (TLS) are registered with at least:
- for what service it was issued,
- what the owning group is including contact information,
- expiration date and
- technical details of certificate.
There is a process for requesting and revoking official certificates. Requesting and approving certificate requests are separate roles. The organisation selects approved certificate providers. Self-signed certificates are never allowed. If there is any indication that a system may be compromised, current certificates are revoked, new private keys generated and replacement certificates requested based on the new private key. Clients check whether certificates have been revoked as part of the certificate verification.
Users receive warnings when their certificates are about to expire.
The private keys for certificates are stored in a password vault with encryption and MFA, on separate systems from the ones where the certificates are actively used.
Specification
Certificates that are visible to end-users are signed through a CA Browser forum accepted certificate authority, the chain is passed along and the certificate is valid.
Selected approved certificate providers are published as DNS CAA records.
Users can request certificates on behalf of a group for which they have the role of certificate requestor. Those certificates are requested with the contact information for a group for renewal notices, to avoid a single point of failure in renewal.
Wildcard certificates are only allowed as an exception under very specific circumstances.
Certificates are always requested with parameters (hashing algorithms, private key size) set according to the current CA browser forum Baseline Requirements for TLS Server Certificates (see: https://cabforum.org/baseline-requirements-documents/).
Validity of certificates is checked as part of availability checks of services.
Single domain certificates are preferred over SAN certificates.
Private keys are not to be re-used for more than one service.
Revocation procedures for the Certificate Authority have to be known and available in case of an incident. Revoked certificates are published via the certificate revocation list (CRL), certificate status can be queried with OCSP and the certificate status is made available via OCSP stapling for public-facing services.
STITCH-1:
Certificate management must be set-up and configured.
ISO 27001 & 27002:2022
A8.24
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.10 Cryptographic Key Management