Question

How to securely and effectively create, provision and revoke certificates and keys for securing data at rest and in transit?

Context

In properly managed cloud systems, cryptographic material such as private/public key pairs and secret symmetric keys hve a well-defined lifetime. However, already in simple systems, there could be tens of certificates and keys which require lifetime management.

Solution

Renewing certificate and cryptographic key is important in order to minimise the risk that may occur as the result of repeated usage of the old one. There should be the renewal policy for certificate and key either manually or automatically. In most of cloud service platforms, they provide a tool to manage key as well as certificate, user can adopt either manual or automatic key renewal. User can also use/configure their own defined certificate and key (e.g. AWS key manager).