Certificate Authority Security Best Practices Guide for Branded Resellers: Comprehensive Security Measures

SSL Support Team

7 months ago

Introduction

As a leading Certificate Authority (CA) and a trust services company, we prioritize the security and trustworthiness of our digital certificates and our identity validation procedures. This guide is focused on our branded reseller partners who hold subordinate certificate authorities chained to SSL.com’s trusted root (referred to as “subCAs”) and are responsible for collecting validation evidence, submitting it to our registration authority portal, and facilitating the issuance of certificates from the partner-branded subCAs that are managed by SSL.com. The purpose of this guide is to ensure the integrity and security of the validation evidence submission process and the certificate lifecycle, for resellers do not have direct access to root material and can only interact with certificate lifecycle operations through a designated API or through an account in the registration authority (RA) portal managed by SSL.com.

Secure Collection of Validation Evidence for Extended, Organization and Individual Validation Types

Data Minimization: Collect only the necessary validation evidence required for the certificate issuance process. Avoid gathering extraneous or sensitive information.
Secure Collection Methods: Use secure channels, such as encrypted forms or portals, when collecting validation evidence from end-users.
Access Control: Implement strict access controls to collect validation evidence. Only authorized personnel should have access, and multi-factor authentication should be mandatory.
Data Integrity: Ensure that the validation evidence remains unaltered during the collection process.
Domain Control Validation: Utilize domain control validation services and methods strictly provided by SSL.com.

Safe Submission of Validation Evidence to Root CA

API Security: Always use the designated API for submitting validation evidence. Ensure that API calls are made over secure channels, such as HTTPS.
Portal Uploads: Another safe method of evidence submission is to upload evidence directly into the related order you would see in your SSL.com account; be sure that you only upload evidence related to the specific order.
Regular Audits: Conduct regular audits of submission logs to ensure that no unauthorized submissions are being made.
Incident Response: Have a clear incident response plan for any discrepancies or breaches in the submission process. Notify the root CA us immediately if any irregularities are detected.

Best Practices for Using the Certificate Lifecycle Operations API

API Key Management: Safeguard your API keys. Store them securely, rotate them periodically, and never expose them in client-side code or public repositories.
Rate Limiting: Be aware of any rate limits imposed on the API to avoid unintentional service disruptions.
Monitoring and Logging: Monitor all API activities. Maintain detailed logs and regularly review them for any suspicious or unauthorized activities.
Error Handling: Implement robust error handling mechanisms. In case of any failures or discrepancies in the API responses, have a clear procedure to address them.

Maintaining a Secure Website

Proper TLS Server Configuration: Ensure that the server supports only strong cryptographic ciphers and protocols. Regularly update and patch the server to prevent known vulnerabilities.
Operating System Hardening: Minimize the number of services running on the server, apply security patches promptly, and use security configurations to reduce the attack surface.
Common Website Vulnerabilities: Regularly scan for and address vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).
Maintain Proper Password Health: Ensure passwords are complex, incorporating a mix of uppercase and lowercase letters, numbers, and special characters. Encourage those with access to your servers or CRM to update their passwords regularly and avoid reusing passwords from other sites. Implement multi-factor authentication (MFA) or utilize clientAuth certificates.

CA/B Forum Network and Certificate Systems Security Requirements

Quarterly Vulnerability Scans: Conduct regular vulnerability scans every quarter to identify and rectify potential security issues.
Annual Penetration Testing: Engage in annual penetration testing to simulate potential attacks and identify weak points in the system.
Promote Security Requirements: Emphasize the importance of adhering to the CA/B Forum Network and Certificate Systems Security Requirements to maintain trust and security.

Promoting End User Best Practices with Private Key Generation, Storage, and CSRs

Educate on Key Generation: Guide end users to use CA-vetted tools for generating keys and CSRs. This ensures compatibility and security.
Key Length and Algorithm: Advise end users to use strong cryptographic algorithms and appropriate key lengths (e.g., RSA 2048-bit or higher).
Access Control and Multi-factor Authentication: Implement strict access controls and promote the use of multi-factor authentication, especially for actions triggering CA API interactions like certificate re-key, renewal, and revocation.

Secure Storage of Private Keys

Continual Key Rotation: Key rotation on a regular basis minimizes the quantity of data exposed if a key is compromised and shortens the time it takes an attacker to crack a key.
Encrypted Storage and Backup: Encourage encrypted backups of private keys, stored securely and separately.
Revocation and Key Destruction: Encourage policies in your end users that enable prompt and efficient revocation if a key is compromised or no longer needed. The key shouldn’t be used for any cryptographic operations after being revoked and should be destroyed.
Putting in place a Key Hierarchy: This structure creates layers of cryptographic keys, each with different levels of access and control. The master key, which is at the center of this hierarchy and is extremely secure, is used to encrypt additional keys, which are frequently referred to as “subordinate” or “data encryption.”
Having a disaster response strategy: Develop defined actions that need to be taken as well as responsible parties in the case of a major key compromise or key loss.

The trust in our CA and our branded resellers is paramount. By adhering to these comprehensive best practices, we can ensure the security and integrity of the certificate issuance process, protect user data, and maintain the trust of our end-users. We encourage all our resellers to implement these practices diligently and reach out to us for any further guidance or clarification.