Certificates - Security and best practices

[Guest]

[gchq]

We got our code signing certificate, exported it to a pfx file and browsed to the new file with VS2010. After entering the path to datestamp everything works (I hope) and we now have customers with a warm fuzzy feeling...

When the file was downloaded there was a warning about backing up the private key - does that mean just backup the certificate, or is there something else we should be doing to literally just backup the key?

With the Stuxnet issue flying around the internet it is quite clear that security is important - but can I find a step by step guide (other than the less than informative 'securing your private keys..' from Symantec) that runs through best practices? Does Comodo have such a guide? Clearly we don't want to compromise security, but we don't want VS2010 to kick off and throw all the toys out of the playpen when we deploy a clickonce project either.

If anyone can point me in the correct direction I would appreciate it!

Thanks

[w-e-v]

Perhaps this KB article and this other one can help.

[gchq]

Hi w-e-v

Thanks for the reply

The first KB relates to W2K and XP (OS is Server 2008 R2) - and exporting to a pfx was not a problem.

The second KB refers to firefox - typical I guess that whilst you can navigate to the cert store within IE9 there are no backup functions, that I can see.. I see no reason that the daily server backup won't include the cert (which leads to other problems security-wise)

As it turns out this KB does go into backing up the cert - but it is the process for exporting the pfx. I guess it can be imported back into the certificate store from the pfx file. As it happens I exported two variants, one that included all certificates in the path and one that didn't (an issue with VS2010)...

More than anything I am trying to find a 'best practices' document to prevent the certificate becoming compromised...

Have a great weekend

[Tags:]