3

For my company I'm starting to manage more and more domains; and with that more and more certificates for those domains.

What is a good way to store the basic KEY and CSR files generated? I was considering a git repo on our private code server. This does not seem secure enough though.

Would you suggest and other system, or how this can be done securely with a source control system like git?

Also: Does it make sense to store the CRT files and CA files in use?

Bert Goethals
  • 131
  • 3
  • The CSR is to be thrown away after certificate has been issued. Purpose of CSR is to export public key and subject to CA for release of a certificate. There is no private information in it. – usr-local-ΕΨΗΕΛΩΝ Dec 15 '12 at 11:53

1 Answers1

0

Just a few general guidelines that I use which may help:

  • Use wildcard certs wherever possible to reduce the sheer number and management scope of all your certs.
  • Use an excellent CA like DigiCert where you can create duplicates of your certs from different CSRs and add SANs (subject alt names) as needed.
  • Keep the private key the same when possible at administrative or security boundaries. For certs that go onto load-balancers for SSL acceleration done by our network team, one private key is used; for certs that go onto web servers, a different private key is used.
  • If you have a private CA on a Microsoft server, for example, you could store the files there since Microsoft recommends that the private CA be shutdown when not needed.
generalnetworkerror
  • 401
  • 2
  • 7