NIST SPECIAL PUBLICATION 1800-16
Securing Web Transactions
Securing Web Transactions¶
TLS Server Certificate Management
Includes Executive Summary (A); Approach, Architecture, and Security Risks and Recommended Best Practices (B); Approach, Architecture, and Security Characteristics (C); and How-To Guides (D)
Mehwish Akram
William C. Barker
Rob Clatterbuck
Donna Dodson
Brandon Everhart
Jane Gilbert
William Haag
Brian Johnson
Alexandros Kapasouris
Dung Lam
Brett Pleasant
Mary Raguso
Murugiah Souppaya
Susan Symington
Paul Turner
Clint Wilson
Final
This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-16
The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/projects/building-blocks/tls-server-certificate-management
NIST SPECIAL PUBLICATION 1800-16
Securing Web Transactions
Includes Executive Summary (A); Approach, Architecture, and Security Risks and Recommended Best Practices (B); Approach, Architecture, and Security Characteristics (C); and How-To Guides (D)
Donna Dodson
William Haag
Murugiah Souppaya
NIST
Paul Turner
Venafi
William C. Barker
Strativia
Clint Wilson
Digicert
Dung Lam
F5
Alexandros Kapasouris
Symantec
Rob Clatterbuck
Jane Gilbert
Thales Trusted Cyber Technologies
Mehwish Akram
Brandon Everhart
Brian Johnson
Brett Pleasant
Mary Raguso
Susan Symington
The MITRE Corporation
Final
June 2020
U.S. Department of Commerce
Wilbur Ross, Secretary
National Institute of Standards and Technology
Walter G. Copan, Undersecretary of Commerce for Standards and Technology and Director
- 1 Introduction
- 2 TLS Server Certificate Background
- 3 TLS Server Certificate Risks
- 4 Organizational Challenges
- 5 Recommended Best Practices
- 5.1 Establishing TLS Server Certificate Policies
- 5.1.1 Inventory
- 5.1.2 Ownership
- 5.1.3 Approved CAs
- 5.1.4 Validity Periods
- 5.1.5 Key Length
- 5.1.6 Signing Algorithms
- 5.1.7 Subject DN and SAN Contents
- 5.1.8 Automation
- 5.1.9 Certificate Request Reviews – Registration Authority (RA)
- 5.1.10 Private Key Security
- 5.1.11 Rekey/Rotation upon Reassignment/Terminations
- 5.1.12 Proactive Certificate Renewal
- 5.1.13 Crypto-Agility
- 5.1.14 Revocation
- 5.1.15 Continuous Monitoring
- 5.1.16 Logging TLS Server Certificate Management Operations
- 5.1.17 TLS Traffic Monitoring
- 5.1.18 Certificate Authority Authorization
- 5.1.19 Certificate Transparency
- 5.1.20 CA Trust by Relying Parties
- 5.2 Establish a Certificate Service
- 5.3 Terms of Service
- 5.4 Auditing
- 5.1 Establishing TLS Server Certificate Policies
- 6 Implementing a Successful Program
- Appendix A List of Acronyms and Abbreviations
- Appendix B Glossary
- Appendix C Mapping to the Cybersecurity Framework
- Appendix D Special Publication 800-53 Controls Applicable to Best Practices for TLS Server Certificate Management
- Appendix E References
- 1 Summary
- 2 How to Use This Guide
- 3 Approach
- 4 Architecture
- 4.1 Logical Architecture
- 4.2 Physical Architecture
- 4.3 Technologies
- 4.3.1 Certificate Manager and Internal TLS Certificate Network Scanning Tool
- 4.3.2 Internal TLS Certificate Network Scanning Tool
- 4.3.3 Internal Root CA
- 4.3.4 Internal Issuing CA
- 4.3.5 Certificate Database
- 4.3.6 TLS Inspection Appliance
- 4.3.7 Hardware Security Module
- 4.3.8 External Certificate Authority
- 4.3.9 Load Balancer
- 4.3.10 DevOps Framework
- 4.3.11 Automated Certificate Management Frameworks
- 4.3.12 TLS Servers
- 4.3.13 Application Servers
- 5 Security Characteristic Analysis
- 6 Future Build Considerations
- Appendix A List of Acronyms
- Appendix B Glossary
- Appendix C References
- 1 Introduction
- 1.1 Practice Guide Structure
- 1.2 Build Overview
- 1.3 Build Architecture Summary
- 1.4 Typographic Conventions
- 1.5 Supporting Infrastructure
- 2 Product Installation and Configuration Guides
- 2.1 Product Installation Sequence (Example Build)
- 2.2 Thales TCT Luna SA 1700 Hardware Security Module
- 2.3 DigiCert Certificate Authority
- 2.3.1 Day 0: Installation and Standard Configuration
- 2.3.2 Day 1: Integration Configuration
- 2.3.2.1 Generate API Key
- 2.3.2.2 Venafi Integration (Automated)
- 2.3.2.3 Order Certificate Directly Through CertCentral (Manual Process)
- 2.3.2.4 Order an OV Single- or Multi-Domain TLS Certificate
- 2.3.2.5 Manage Order Within CertCentral (Manual)
- 2.3.2.6 Download a Certificate from the CertCentral Account
- 2.3.3 Day N: Ongoing Security Management and Maintenance
- 2.4 F5 BIG-IP Local Traffic Manager (LTM)
- 2.4.1 Day 0: Installation and Standard Configuration
- 2.4.1.1 Prerequisites
- 2.4.1.2 Download the Virtual Appliance
- 2.4.1.3 Deploying the BIG-IP OVA
- 2.4.1.4 Assigning a Management IP Address to a BIG-IP VE Virtual Machine
- 2.4.1.5 Log in to BIG-IP for the First Time
- 2.4.1.6 BIG-IP Configuration Utility
- 2.4.1.7 Configure NTP
- 2.4.1.8 Configure SMTP
- 2.4.1.9 Configure Syslog
- 2.4.1.10 Secure BIG-IP to NIST SP 800-53
- 2.4.2 Day 1: Product Integration Configuration
- 2.4.3 Day N: Ongoing Security Management and Maintenance
- 2.4.1 Day 0: Installation and Standard Configuration
- 2.5 Symantec SSL Visibility Appliance
- 2.5.1 Day-0: Install and Standard Configuration
- 2.5.1.1 Prerequisites
- 2.5.1.2 Unpacking the Appliance
- 2.5.1.3 Rack-Mount the Appliance
- 2.5.1.4 Connect Cables
- 2.5.1.5 Power on the Appliance and Verify LEDs
- 2.5.1.6 Initial Appliance Configuration
- 2.5.1.7 Date and Time (NTP)
- 2.5.1.8 Additional Configuration
- 2.5.1.9 Broadcom Account Creation
- 2.5.1.10 License the SSL Visibility Appliance
- 2.5.2 Day 1: Product Integration Configuration
- 2.5.3 Day N: Ongoing Security Management and Maintenance
- 2.5.1 Day-0: Install and Standard Configuration
- 2.6 Venafi Trust Protection Platform (TPP)
- 2.6.1 Prerequisites
- 2.6.2 Installation
- 2.6.3 CA Integration
- 2.6.4 Folder Creation
- 2.6.5 Custom Fields
- 2.6.6 Assigning Certificate Owners
- 2.6.7 Setting Policies
- 2.6.8 Establishing a Domain Allowlist
- 2.6.9 Workflow – RA Reviews
- 2.6.10 CA Import
- 2.6.11 Network Discovery
- 2.6.12 Identify Certificate Risks/Vulnerabilities
- 2.6.13 Automate Management
- 2.6.14 Continuous Monitoring
- Appendix A Passive Inspection
- Appendix B Hardening Guidance
- Appendix C Venafi Underlying Concepts
- Appendix D List of Acronyms
- Appendix E Glossary
- Appendix F References
- Appendix G Supplemental Architecture Configurations