Storing SSL certificates for developers



  • I work as a .NET developer on a small development team. Our organization has several websites, that all have certificates for serving them via HTTPS.

    The websites are deployed to On-premise Windows 2019 Servers, and the certificates are imported through the Certificates snap-in in the Microsoft Management Console.

    When the certificates are renewed, our boss usually sends the pfx-file in an E-mail, and the password used to import/decrypt the certificate, via a different channel.

    The problem is, that we don't know how to store the certificates and the passwords, away from the servers. Right now, they are stored in a network drive, in a folder with special permissions, so that only our boss and us developers can access the files - but none of us feel that is the right way to do it.

    The source code for our applications is in Azure Devops, but we do not have an Azure tenant, so we cannot use Azure Key Vault. We have thought about setting up a repository in Azure Devops for certificates and passwords, which our boss could manage access to, but we are not sure if that is the right approach either.

    What are the best practices for storing certificates and the passwords used for importing/decrypting them?



  • Following the discussion in the comments after this question, my recommendation would be to use a hardware security module (HSM) to store your SSL private keys. When you use an HSM, the private keys never leave the HSM, so it's impossible for a private key to fall into the wrong hands.

    Being that you are running physical servers on-prem, a HSM solution should not be too difficult to implement. See the links below for more information on how this solution works:

    How should I store SSL keys on the server?

    Why is an HSM required to protect CA certificates (rather than a regular USB token)?

    There are also cloud-based HSM's, like this one offered by Amazon AWS:

    https://docs.aws.amazon.com/cloudhsm/latest/userguide/ssl-offload-overview.html


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2