Guide
TrainingSupportCommunity

Best practices

Suggest Edits

Use these best practices to ensure Mutual TLS Edge Truststore can successfully validate your CA certificates, CA sets, and CA set versions.

CA certificate

Before adding CA certificates to your CA set, make sure each certificate:

  • Is correctly formed x509 (PEM encoded) certificate.
  • Has valid x509 CA bits set.
  • Is within the validity period.
  • Is a self-signed root certificate or an intermediate certificate. Leaf certificates aren't accepted.
  • Uses the SHA-256 signature hash algorithm or better (unless theallowInsecureSha1option is set).

    Additional considerations

    • Certificates signed using any SHA hashing algorithm (SHA-256, SHA-384 etc.) will be accepted.
    • Certificates signed using RSA, ECDSA, or any elliptic curve signature algorithm will be accepted.
    • RSA certificates must have a key size of at least 2048 bits.
    • ECDSA certificates require a minimum key size of 256 bits

CA set

When creating a CA set, follow these conventions:

  • CA sets for the account can't exceed 200.
  • CA set names need to be unique within an account, with the exception of deleted CA sets.
  • Use only these characters for the CA set name:
    • Alphanumeric (a-z, A-Z, 0-9)
    • Underscore (_)
    • Hyphen (-)
    • Period (.) There should not be 3 consecutive periods (...)
    • Percent (%) with a maximum length of 64 characters and minimum length of 3 characters

CA set version

When managing CA set versions, follow these guidelines:

Creating a CA set version

  • Versions can't exceed 100, per CA set.
  • Submitted certificates can't exceed 300, per CA set version.
  • Submitted certificates need to use SHA-256 or higher unless Allow SHA-1 is explicitly specified.
  • Submitted certificates need to be valid, as specified in the CA certificate section.

Editing a CA set version

When modifying a CA set version, follow these guidelines:

  • A CA set version can't be modified when:
    • It's activate on a network. If you need to make updates on an activated CA set version, clone or create a version.
    • There are deployment requests in progress for the version on a network. If the deployment fails, you can make changes to the version.
  • You can add and remove certificates but you can't change the name.
  • Creating a CA set version, where applicable.

Cloning a CA set version

After cloning a CA set version, if you make changes to the cloned version, follow the guidelines for Editing a CA set version where applicable. If the original CA set version has expired certificates, a warning appears for those certificates in the cloned version.

Activating a CA set version

When activating a CA set version, make sure your certificates meet the specifications in the CA certificate section.

Deactivating a CA set version from a network

You can’t deactivate a CA set version if the CA set that it belongs to is bound to a slot in the Certificate Provisioning System. If the CA set is still associated with edge certificates, a message appears showing those edge certificates.

Updated 4 months ago