Blog | G5 Cyber Security

Client Certificates: Best Practices

G5 Cyber Security

TL;DR

Using client certificates adds a strong layer of security to your systems. This guide covers how to manage them effectively across different platforms, focusing on secure storage, renewal, and revocation.

1. Certificate Authority (CA) Selection & Setup

  1. Choose a CA: Decide between using a public CA (like Let’s Encrypt for client certificates – though less common than server certs), or setting up your own internal CA. An internal CA gives you more control but requires more management effort.
  2. CA Security: If self-hosting, protect your CA key extremely well. This is the root of trust. Use a Hardware Security Module (HSM) if possible.
  3. Define Certificate Policies: Decide on certificate validity periods (e.g., 398 days to avoid issues with some browsers), allowed Key Usages (Digital Signature, Key Encipherment), and Extended Key Usages (Client Authentication).

2. Certificate Generation & Distribution

  1. Generate CSRs: Each user/system needs a Certificate Signing Request (CSR). This is usually done with OpenSSL or similar tools. 
    openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr
  2. Sign CSRs: Use your CA to sign the generated CSRs, creating the actual certificates.
  3. Secure Distribution: Never email certificates directly. Use a secure method like:
    • A dedicated certificate portal with strong authentication (e.g., multi-factor).
    • An encrypted file transfer system.
    • Manual delivery with physical security measures.

3. System Configuration

The configuration steps vary significantly depending on the operating system and application.

Windows

  1. Import Certificate: Double-click the certificate file (.cer or .pem) and follow the wizard to import it into the user’s Personal certificate store.
  2. Configure Application: Configure the application (e.g., web browser, VPN client) to use the imported certificate for authentication. This often involves selecting the certificate from a list.

Linux

  1. Certificate Storage: Store certificates in a secure location with restricted permissions (e.g., /etc/ssl/certs/).
  2. Application Configuration: Configure applications to use the certificate and private key files. 
    # Example for Apache:
SSLCertificateFile /etc/ssl/certs/client.crt
SSLCertificateKeyFile /etc/ssl/private/client.key

macOS

  1. Import Certificate: Double-click the certificate file (.cer or .pem) and import it into Keychain Access.
  2. Configure Application: Configure applications to use the imported certificate from Keychain Access.

4. Secure Storage of Private Keys

The private key is the most sensitive part. Protect it!

5. Certificate Renewal

  1. Monitoring Expiry Dates: Implement a system to monitor certificate expiry dates well in advance (e.g., 30 days). Tools like certbot can help with this, even for client certificates if you’re automating the process.
  2. Automated Renewal: Automate the renewal process as much as possible. This reduces the risk of outages due to expired certificates.
  3. Re-Distribution: After renewal, securely distribute the new certificate to users/systems (using the methods described in step 2).

6. Certificate Revocation

If a certificate is compromised or an employee leaves, you need to revoke it.

  1. Certificate Revocation Lists (CRLs): Publish CRLs containing revoked certificates. Applications must be configured to check these lists.
  2. Online Certificate Status Protocol (OCSP): Use OCSP for real-time certificate status checking. This is more efficient than CRLs but requires an OCSP responder. 
    # Example OCSP URL:
http://your-ca-domain/ocsp
  3. Prompt Revocation: Have a clear process for promptly revoking compromised certificates.

7. Auditing & Logging

Exit mobile version