Today, the NCSC has published updated guidance on deploying and managing security certificates, taking into account trends and practice in the international certificates ecosystem. Provisioning and Managing Certificates in the Web PKI replaces our previous ‘Provisioning and Securing Security Certificates’ guidance, and brings together all our current thinking on Web PKI.
The guidance offers a set of key recommendations for certificate management. These include:
- using automated certificate provisioning and renewal where possible, reducing the risk of human error in managing your certificates
- preparing for shorter certificate lifetimes, recognising trends in the certificate authority ecosystem
- ensuring you have effective monitoring of your certificate issuance and renewals, and access to your private keys
- using cloud key management services and avoiding wildcard certificates to reduce the likelihood and impact of compromise
We have also taken the opportunity to make a few minor changes to our guidance on Using TLS to protect data and to Using IPsec to protect data, to ensure consistency with the certificates guidance and to reflect current standardisation activities. The guidance now aligns with the NCSC’s recent advice on external attack surface management (EASM) products.
At this stage, we have made no changes to our cipher suite recommendations in either of these pieces; the recommended profiles still provide good protection. However, the legacy profiles in each of those pieces of guidance are increasingly outdated, and in some cases deprecated, and it is essential that organisations relying on them update their profiles as soon as possible.
We will be producing more substantial revisions to our TLS and IPsec guidance in the near future, introducing additional recommended profiles / cipher suite preferences that include post-quantum cryptography, as the relevant protocol standards are finalised and as robust implementations mature in a range of commonly-used libraries.
Jeremy B
Principal Technical Director for Crypt and High Threat Technologies
