Q: I am a software vendor, and I want to integrate certificates into that software properly. How should I do that?
* Upon installation, automatically generate a new, fresh and secure keypair (secret key+public key). We suggest using RSA and a keylength of 2048 Bits for it. Make sure that the keypair is freshly generated from real random numbers (/dev/random), and that you do not ship any secret keys + certificates to your customers.
* Then automatically generate a self-signed certificate, and activate it in your software. This is to make sure that the user can instantly use a encrypted session. * Then automatically generate a certificate request (CSR) for the administrator, display/save it for the administrator, and tell him that he should send it to a CA, and get a proper certificate for it. * Make it possible for the user to upload/load/implement a
After the Installation
* Later on, make it easy for the administrator to upload/load/implement the received certificate into the software, and perhaps remind the administrator not to forget getting a certificate.
Before the certificate expires
* Regularly check for expiring certificates. Automatically generate self-signed certificates and certificate requests, and offer the administrator to replace the expiring certificate with a renewed or a self-signed certificate again.
* In case the software is told about an identity change (responsible for a different hostname, domainname), the software should verify, whether the certificate still applies to the new identity, otherwise it should ask the administrator to get a new certificate for the new identity in the usual manner. * Additionally, the software should inform the administrator that it might be a good possibility now to revoke the old certificate, if it isn´t needed anymore. (Be careful with certificates that were used for signing!)