Digital Certificate Management Function
- Meet the following certificate format and content requirements.
- Use an X.509v3 certificate and secure certificate signature algorithms.
- Use secure random number to generate a key pair with at least 2048 bits. 4096-bit key pair is recommended.
- Set a proper validity period for certificates.
- Provide certificate import function and verify the content, signature algorithm, and key length during certificate import.
- The private key of the certificate must be stored using a password-based encryption mechanism. The private key protection password must meet the complexity requirements and be encrypted for storage. In addition, the access permission on the private key file and certificate file must be controlled.
- The integrity protection mechanism should be provided for certificate and private key information to prevent service interruption caused by information damage.
- Do not provide the function or API for exporting the certificate private key.
- Check and update the certificate expiration.
- Verify whether the peer digital certificate has been revoked.
Parent topic: Digital Certificate Management Reference