Best Practices for Certificate Installation¶
Automate Deployment from the Start¶
Manual certificate installation is error-prone and does not scale. Configure target systems and Bridge-based automated deployment as early as possible — ideally before the first certificate is deployed to a system. This ensures every renewal cycle automatically updates the certificate in place without operator intervention.
Verify the Certificate After Every Deployment¶
After each deployment — automated or manual — verify that the correct certificate is being served:
openssl s_client -connect your-domain.example.com:443 -showcerts
Confirm the serial number and expiry date match what is shown in the platform inventory. An automated check as part of your deployment pipeline provides ongoing assurance.
Protect Private Key Files¶
When deploying certificates to Linux-based systems, restrict permissions on private key files:
chmod 600 /etc/ssl/private/your-domain.key
chown root:root /etc/ssl/private/your-domain.key
Only the process that needs the key (for example, the Nginx or Apache worker) should have read access. Avoid world-readable key files.
For Windows environments, use the Windows certificate store rather than writing PEM files to disk where possible. Certificate store entries can be protected by ACLs.
Test Deployments in Non-Production Environments First¶
Before configuring automated deployment on a production target system, test the same configuration on a staging or development system. Confirm that:
- The Bridge can reach the target system.
- The certificate and key are written to the expected paths.
- The service reload command succeeds.
- The service comes back up with the new certificate.
This avoids unexpected outages when the first production renewal occurs.
Do Not Reuse Private Keys at Renewal¶
When a certificate is renewed, generate a new key pair rather than reusing the existing private key. Key reuse reduces the security benefit of renewal and does not limit the exposure window if the previous key was compromised.
The platform generates a new key pair by default for each certificate issuance. Do not override this behaviour unless you have a specific operational reason to do so.
Monitor Deployment Status¶
After each automated renewal, confirm that the deployment to all associated target systems completed successfully. The certificate detail page shows the deployment status for each target system. A certificate that was renewed but not deployed means the target system is still using the expiring certificate.
Where possible, use SIEM integration or the platform's reporting features to alert on deployment failures and on certificates that are active but not deployed to any target system.
Keep the Certificate Inventory in Sync¶
If you remove a certificate from a target system manually (outside of the platform), update or remove the target system association in the platform inventory. Stale associations create misleading deployment status entries and complicate audits.
Similarly, if a target system is decommissioned, remove it from the platform and remove its associations with any active certificates.