Hardening guidelines for server certificates

Contributors

You should replace the default certificates created during installation with your own custom certificates.

For many organizations, the self-signed digital certificate for StorageGRID web access is not compliant with their information security policies. On production systems, you should install a CA-signed digital certificate for use in authenticating StorageGRID.

Specifically, you should use custom server certificates instead of these default certificates:

  • Management interface certificate: Used to secure access to the Grid Manager, the Tenant Manager, the Grid Management API, and the Tenant Management API.

  • S3 and Swift API certificate: Used to secure access to Storage Nodes and Gateway Nodes, which S3 and Swift client applications use to upload and download object data.

Note StorageGRID manages the certificates used for load balancer endpoints separately. To configure load balancer certificates, see the steps for configuring load balancer endpoints in the instructions for administering StorageGRID.

When using custom server certificates, follow these guidelines:

  • Certificates should have a subjectAltName that matches DNS entries for StorageGRID. For details, see section 4.2.1.6, “Subject Alternative Name,” in RFC 5280: PKIX Certificate and CRL Profile.

  • When possible, avoid the use of wildcard certificates. An exception to this guideline is the certificate for an S3 virtual hosted style endpoint, which requires the use of a wildcard if bucket names are not known in advance.

  • When you must use wildcards in certificates, you should take additional steps to reduce the risks. Use a wildcard pattern such as *.s3.example.com, and do not use the s3.example.com suffix for other applications. This pattern also works with path-style S3 access, such as dc1-s1.s3.example.com/mybucket.

  • Set the certificate expiration times to be short (for example, 2 months), and use the Grid Management API to automate certificate rotation. This especially important for wildcard certificates.

In addition, clients should use strict hostname checking when communicating with StorageGRID.