Signing certificate

Safewhere Identify uses a signing certificate for two main purposes:

  1. Integrity: to sign all messages that it needs to send to other systems.
  2. Confidentiality: to decrypt encrypted messages that other systems send to it.

Because the signing certificate is at the center of all cryptographic operations, it is important that you need to learn how to manage it correctly and securely.

Signing certificate in the Windows Certificate store

Storing the signing certificate in the Windows Certificate store is the most popular option. Our installation tool provides an option to auto-generate self-signed signing certificates. You can also import your own certificates to Windows store and use them when setting up Identify instances. All options are well supported by our the Configurator tool.

Changing signing certificate

When you need to change the signing certificate of your Identify instance, you need to use the Reconfigure feature. You can use either the UI version or the CLI version.

Signing certificate in Azure

Azure Key Vault

Another option is to store the signing certificate in Azure Key Vault. Identify has support for both software-protected and HSM-protected keys. Our how-to guideline has everything that you need to get started.

Managed HSM

Azure Managed HSM is a more secure and performant option than the traditional Azure Key Vault. If your Identify installation needs to meet requirements of FIPS 140-2 Level 3 (which is mandated by the NSIS 2.0 standard), this is the right option for you. You can visit our guideline for instructions about how to set up a Managed HSM instance and use it with Identify.

Technically speaking, because Azure Managed HSM has support for keys and doesn't have support for certificates, certificates (with public keys) are stored in Identify's SQL database. It is private keys that are stored in the Managed HSM.

Working with Azure Key Vault and Managed HSM

We recommend that you check the following Azure articles out to best understand about how to work with Azure Key Vault and Managed HSM.

Understanding the Role-based access control

Understanding the Role-based access control (RBAC) model helps you make your Azure Key Vault resources more secure. Specifically, you can use RBAC to control who has what permissions to what Azure Key Vault resources. You can find all the concepts and tutorials about about RBAC on the official Azure document here.

Securing access to Azure Key Vault and Managed HSM

During the process of provisioning an Azure Key Vault or a Managed HSM, you need to assign necessary roles to access certificates and keys for a security principal.

For Azure Key Vault, you can use the Azure Portal to access the Access policies menu where you can manage roles and permissions for certificate management operations. For Managed HSM, see Managed HSM local RBAC built-in roles

You can find best practices for security access to a Managed HSM in this article.

Backup/Recovery

Make sure you take regular backups of your HSM. Backups can be done at the HSM level and for specific keys. You can use the Azure CLI to make a backup for your keys. For more information, see Create a single key backup and Managed HSM disaster recovery.

Logging

Enabling logging for your Managed HSM resource is recommended. It is a way to monitor how and when your HSMs are accessed, and by whom. You can follow this guide to enable logging for your Managed HSM. Meanwhile, the Azure Portal has UI support for enabling logging for Azure Key Vault.

Monitoring and alerting

When logging is enabled, you can use the Azure Monitor logs to review, query Managed HSM AuditEvent logs to analyze your data and get the information that you need. Next, you can set up alert rules that are triggered when certain conditions are met. For more information about log alerts, see Create, view, and manage log alerts using Azure Monitor and How to configure alerts on your Key Vault.

Performance: be aware of service limits and regions

If your Identify needs to serve high amounts of requests per second, be aware of Azure Key Vault's service limits for more information about the limitation when using the Azure Key Vault for Identify.

Another factor that impacts performance is regions. In short, you need to provision an Azure Key Vault/Managed HSM on the same region that is hosting your Identify instance's servers.