Securing Keys and Certificates

Note: The principles mentioned below only apply to the keystores used to protect the ActivID Appliance private keys . Other components, such as the HSMs used to protect the certificate authorities and web servers, are considered outside the scope of these recommendations.

General Considerations

Keystores securely create and maintain the private keys. All key security-sensitive devices must be generated inside a keystore. Security-sensitive devices include the following:

Certificate authorities
Web servers
ActivID Appliance components

ActivID Appliance keystores store and generate the following keys:

Credentials used to authenticate to third-party systems (depending on the third-party system capacity), including RA credentials and LDAP credentials
Digital signature key and certificates (for SAML Identity and Service Providers)
Cryptographic keys for encryption and signing of data

To increase security, it is strongly recommended that you:

Store these keys inside an external HSM (for further details, refer to the ActivID Appliance HSM Configuration Guide available from the ActivID Customer Portal)
Renew the keys regularly and at a set period
You can automate this by setting a policy or process for when keys should be renewed (using standard properties in server defaults)

Client, Web Server, and Root Certificates

ActivID Appliance uses certificates for internal SSL authentication between the various server systems (for example, between the ActivID Management Console and the ActivID Appliance server) and for mutual authentication between the ActivID Management Console and the client/operator systems.

For example, a web server certificate must be issued to the site hosting the ActivID Appliance site, and a client certificate must be used whenever a component requires client authentication. In addition, ActivID Appliance verifies that the certificate being used to authenticate is signed by a trusted CA.

Typically, the client, web server, and CA root certificates are all requested, issued, and installed as part of the initial ActivID Appliance installation.

During ActivID Appliance installation, self-signed certificates are generated.

Important: You are responsible for the Certificate Lifecycle Management (CLM) of the certificates used in your ActivID Appliance system.

This includes updating the certificates before they expire to avoid an interruption of service.

As a best practice, it is strongly recommended that you implement policies and procedures to:

Monitor the certificates (expired, revoked or compromised) with automated notifications
Regularly maintain and update certificates with a defined renewal strategy
Identify a role (either an individual or team) who is responsible for certificate management according to your organization’s security policies and compliance requirements