The Gaming Boardroom

Provisioning and managing certificates in the Web PKI

Steve Tyler Leave a comment

Provisioning and managing certificates in the Web PKI

Summary

This NCSC guidance explains how service owners should securely obtain, provision and manage server certificates in the Web Public Key Infrastructure (Web PKI). It focuses on practical controls to reduce the risk of certificate compromise, avoid weak or expired certificates, and detect unexpected issuance. The guidance covers protecting private keys, limitations of certificate revocation, scoping certificates to infrastructure, use of CAA DNS records, automation (ACME), shorter validity periods, modern cryptography and monitoring via Certificate Transparency logs.

Key Points

  • Protect private keys: keep confidentiality, integrity and availability; use cloud KMS where appropriate and avoid unnecessary key backups.
  • Do not rely solely on revocation: CRLs and OCSP have gaps; revoke compromised certificates but be aware revocation may not reach all clients.
  • Scope certificates to infrastructure: limit which devices hold which keys and prefer SAN entries over unnecessary key proliferation.
  • Avoid wildcard certificates unless genuinely needed; prefer listing explicit domains to reduce blast radius of compromise.
  • Use CAA DNS records to restrict which CAs can issue certificates for your domains and to block wildcard issuance where desired.
  • Automate provisioning and renewal (eg. ACME) to prevent expiry and human error; secure automation tooling and credentials carefully.
  • Prepare for shorter certificate validity periods (trend to days/weeks): automation and monitoring become essential as lifetimes shrink.
  • Use modern cryptographic algorithms and plan for post‑quantum migration as guidance and standards evolve.
  • Prefer Domain Validation (DV) certificates: OV/EV offer no browser security advantage and are harder to automate.
  • Monitor issuance and renewal: track certificates in use, monitor access controls on keys and watch Certificate Transparency logs for unexpected certificates.

Why should I read this?

Short version: if you run sites or services that use TLS, this is worth five minutes. The guidance tells you what to do to avoid embarrassing outages, impersonation and costly incidents — and how to stop certificate management from becoming a recurring firefight. We’ve done the heavy reading so you don’t have to.

Source

Source: https://www.ncsc.gov.uk/guidance/provisioning-and-managing-certificates-in-the-web-pki

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.