Digital Certificate Management Reference

The certificate required by the StreamServer inference service is provided and managed by the integrated third party.

The certificate management service should periodically check the validity and availability of all local certificates. The reference solution is as follows:

1. Certificate format and content requirements
   • Use X.509v3 certificates and secure certificate signature algorithms.
   • Use secure random number to generate a key pair. The key pair must contain at least 2048 bits, and 3072 bits are recommended.
   • Set a proper validity period for certificates.
   • Provide certificate import function and verify the content, signature algorithm, and key length during certificate import.
2. The private key of a certificate must be stored using a password-based encryption mechanism. The private key protection password must meet the complexity requirements and be encrypted for storage. In addition, the access permission on the private key file and certificate file must be controlled.
3. The integrity protection mechanism should be provided for certificate and private key information to prevent service interruption caused by information damage.
4. It is prohibited to provide the function or interface for exporting certificate private keys.
5. The certificate expiration can be checked and the certificate can be updated.
6. Whether the peer digital certificate has been revoked can be verified.