Project

General

Profile

Actions

New Content #13401

closed

Best practices doc for rotating credentials and keys

Added by Jim Pingle over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
General
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:

Description

We need a document somewhere in the pfSense docs which describes methods for periodic rotation of security-related items, including:

  • User passwords (user manager, perhaps other areas such as PPPoE/L2TP server?)
  • Credentials for connecting to external authentication servers
  • Certificate private keys (for GUI, for VPNs, other purposes)
  • VPN pre-shared keys (IPsec, WireGuard, etc)
  • Packages which carry their own credential information are not as critical, but may be worth mentioning (e.g. FreeRADIUS and NET-SNMP at least)

The timing of such changes may vary widely by organization so we probably shouldn't suggest time frames for these, only note methods and potential pitfalls (e.g. importance of coordinating changes with VPN peers)

Actions #1

Updated by Brad Davis over 1 year ago

Maybe also add CA and certificates?

Actions #2

Updated by Jim Pingle over 1 year ago

Brad Davis wrote in #note-1:

Maybe also add CA and certificates?

CA/Certs have that built in -- they expire. The private keys are a different story. Changing them is really the same, the CA/Cert can be renewed but changing the key is an optional step in that process. One wouldn't normally want to change the private key all that often (especially on a CA), but for others it's just a matter of unchecking the box on the renewal screen that asks to keep the key or not.

Actions #3

Updated by Jim Pingle over 1 year ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Danilo Zrenjanin over 1 year ago

  • Status changed from Feedback to Resolved

It looks good!

I am marking this ticket resolved.

Actions

Also available in: Atom PDF