Securely store ssl certificates with expiration date

We are looking for a location to securely store certificates for specific domains.
We would like to have 1 record containing different types of certificates from the same domain. (csr, crt, pem)
password of this certificate.
and expiry date with a notification 1 month before the expiry date.

I see that the ingredients are in 1Password but the recipe is missing. Is there any way to realize this? You guys would be really unique with this functionality as far as I can see.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @pschaller!

    I see that the ingredients are in 1Password but the recipe is missing. Is there any way to realize this? You guys would be really unique with this functionality as far as I can see.

    We don't currently have a specific category for SSL certificates, but I wonder if you have considered using Document items for this? You could upload the files as a zip file, and then add custom fields to store all additional information:

    Customize your 1Password items

    You could also add tags to these entries so you can group all certificates even if they don't have their own category:

    Organize with favorites and tags

  • pschaller
    pschaller
    Community Member

    Hi Ana,

    Thank you for your response! Very nice of you to answer so quickly. uploading as a zip file is certainly an option. I only miss the expiration date with alarm function before the certificate expires.

  • ag_ana
    ag_ana
    1Password Alumni

    @pschaller:

    I only miss the expiration date with alarm function before the certificate expires.

    This would indeed be a nice feature. I see that our developers have an open issue to discuss this feature, so in the meantime I will let them know that you would also like to see this ;)

    ref: dev/projects/customer-feature-requests#55

  • Tertius3
    Tertius3
    Community Member

    A password manager like 1Password doesn't really fit best practice workflow for handling certificates. As someone who takes part in certificate management in our company, I have a bit of experience with this and know about best practice.

    If you talk about some SSL certificate used on a web server for SSL/TLS, best practice is to automate renewal. Choose a CA that allows automated renewal with tools like CertNanny or ACME (Letsencrypt supports this). Everything is stored on the server that handles renewal, often the webserver itself, and your strategy to secure this data is to harden the server against attackers as well as a proper disaster recovery process (backup+restore).

    The thing you might store in 1Password are login credentials and your company's validation details for the CA for backup purposes. But certificates and the corresponding private keys need to be renewed and recreated every once in a while, so automate this. If you don't automate renewal, and your manual renewal process gets neglected (this is unavoidable after a few years!), you will get these famous calls: "I'm unable to connect to your website - certificate invalid/expired!)"

    If you operate your own CA for your private hosts in your intranet, arrange for automated renewal and certificate distribution. Active Directory has integrated certificate management.

    Manual renewal is a process that will become obsolete, because the big browser manufacturers (Google, Mozilla) insist on shorter expiry dates in the future. In the past, it was 2 years. Currently 1 year is longest. 3 months is Letsencrypt. In the future, expect common certification expiry between 3 and 6 months. With such short expiry time, this is something that simply must be automated.

    For example, with Letsencrypt and their acme-clients, automating for whatever web server software and whatever firewall and host security your have in your intranet is a breeze.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for sharing your experience on this @Tertius3!

  • anderssv
    anderssv
    Community Member

    While I agree with @Tertius3 , we are not in total control of everything around us. We have several certificates (for sign/encrypt, and some SSL), and also other credentials that need manual refresh/handling based on auto expire. So we would really love a feature like this.

  • ag_ana
    ag_ana
    1Password Alumni

    I have added you to the list of users who would find this useful @anderssv, thank you for sharing :)

This discussion has been closed.