Project

General

Profile

Actions

New Content #13401

open

Best practices doc for rotating credentials and keys

Added by Jim Pingle about 2 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
General
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:

Description

We need a document somewhere in the pfSense docs which describes methods for periodic rotation of security-related items, including:

  • User passwords (user manager, perhaps other areas such as PPPoE/L2TP server?)
  • Credentials for connecting to external authentication servers
  • Certificate private keys (for GUI, for VPNs, other purposes)
  • VPN pre-shared keys (IPsec, WireGuard, etc)
  • Packages which carry their own credential information are not as critical, but may be worth mentioning (e.g. FreeRADIUS and NET-SNMP at least)

The timing of such changes may vary widely by organization so we probably shouldn't suggest time frames for these, only note methods and potential pitfalls (e.g. importance of coordinating changes with VPN peers)

Actions #1

Updated by Brad Davis about 2 months ago

Maybe also add CA and certificates?

Actions #2

Updated by Jim Pingle about 2 months ago

Brad Davis wrote in #note-1:

Maybe also add CA and certificates?

CA/Certs have that built in -- they expire. The private keys are a different story. Changing them is really the same, the CA/Cert can be renewed but changing the key is an optional step in that process. One wouldn't normally want to change the private key all that often (especially on a CA), but for others it's just a matter of unchecking the box on the renewal screen that asks to keep the key or not.

Actions #3

Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF