Securing Keys and Certificates

Note: The principles mentioned below only apply to the keystores used to protect the ActivID AS private keys . Other components, such as the HSMs used to protect the certificate authorities and web servers, are considered outside the scope of these recommendations.

General Considerations

Keystores securely create and maintain the private keys. All key security-sensitive devices must be generated inside a keystore. Security-sensitive devices include the following:

  • Certificate authorities
  • Web servers
  • ActivID AS components

ActivID AS keystores store and generate the following keys:

To increase security, it is strongly recommended that you:

  • Store these keys inside an external HSM (for further details, see Managing External HSM)
  • Renew the keys regularly and at a set period

    You can automate this by setting a policy or process for when keys should be renewed (using standard properties in server defaults)

Client, Web Server, and Root Certificates

ActivID AS uses certificates for internal SSL authentication between the various server systems (for example, between the ActivID Management Console and the ActivID AS server) and for mutual authentication between the ActivID Management Console and the client/operator systems.

For example, a web server certificate must be issued to the site hosting the ActivID AS site, and a client certificate must be used whenever a component requires client authentication. In addition, ActivID AS verifies that the certificate being used to authenticate is signed by a trusted CA.

Typically, the client, web server, and CA root certificates are all requested, issued, and installed as part of the initial ActivID AS installation.

During ActivID AS installation, self-signed certificates are generated.

Important: You are responsible for the Certificate Lifecycle Management (CLM) of the certificates used in your ActivID AS system.

This includes updating the certificates before they expire to avoid an interruption of service.

As a best practice, it is strongly recommended that you implement policies and procedures to:

  • Monitor the certificates (expired, revoked or compromised) with automated notifications

  • Regularly maintain and update certificates with a defined renewal strategy

  • Identify a role (either an individual or team) who is responsible for certificate management according to your organization’s security policies and compliance requirements