Security certificate deployment best practices
The following guidelines and recommended methods help you create and import security certificates more efficiently.
Protect keystore files
Treat your private keys as an important asset. Recommended policies include the following:
Generate private keys on a trusted computer.
Protect the keystore files with the help of passwords to prevent any compromise when they are stored in backup systems.
Audit the certificates periodically, and ensure that you renew them before they expire.
Use strong certificate signature algorithms and 2048-bit keys
Certificate security depends on the strength of the private key that was used to sign the certificate, and the strength of the hashing function used in the signature. In our certificate documentation, the command that is used to generate private key pair specifies the algorithm that needs to be used. The following example illustrates the same:
Make a backup of your keystores and truststores
To ensure a smooth transition between the test setup and the production setup, make a backup of your existing keystores, truststores, and certificates. The certificate documentation guides you to create signed certificates and import them into the default keystores and truststores. Before you go ahead and work on the default keystores and truststores, ensure that you make a backup of these keystores and truststores. Complete the certification creation and importing before you copy these newly created certificates into the production keystore and truststores.
Upgrade scenario best practices
If you are planning to upgrade a component that already has the signed certificates imported in its keystore and truststore, ensure the following for a smooth upgrade process:
- Make a backup of the default keystores and truststores that have the signed certificates.
- Upgrade the component.
- Restart the component.
If you want to upgrade TrueSight Infrastructure Management that is already in TLS mode, ensure to run
mmigrate for a smooth upgrade. This is to ensure that TLS settings in the mcell.conf are retained during the upgrade process.
Provide fully qualified domain name of the host machine while creating a key pair.
Ensure that you provide a fully qualified domain of the host machine while creating a key pair that will be used to generate signed certificates for a component.
Where to go from here
Create and import security certificates. For instructions, see Implementing private certificates in TrueSight Operations Management.