Treat your private keys as an important asset. Recommended policies include the following:
Generate private keys on a trusted computer.
Protect the keystore files with the help of passwords to prevent any compromise when they are stored in backup systems.
Audit the certificates periodically, and ensure that you renew them before they expire.
Certificate security depends on the strength of the private key that was used to sign the certificate, and the strength of the hashing function used in the signature. In our certificate documentation, the command that is used to generate private key pair specifies the algorithm that needs to be used. The following example illustrates the same:
To ensure a smooth transition between the test setup and the production setup, make a backup of your existing keystores, truststores, and certificates. The certificate documentation guides you to create signed certificates and import them into the default keystores and truststores. Before you go ahead and work on the default keystores and truststores, ensure that you make a backup of these keystores and truststores. Complete the certification creation and importing before you copy these newly created certificates into the production keystore and truststores.
If you are planning to upgrade a component that already has the signed certificates imported in its keystore and truststore, ensure the following for a smooth upgrade process:
If you want to upgrade TrueSight Infrastructure Management that is already in TLS mode, ensure to run
mmigrate for a smooth upgrade. This is to ensure that TLS settings in the mcell.conf are retained during the upgrade process.
Ensure that you provide a fully qualified domain of the host machine while creating a key pair that will be used to generate signed certificates for a component.