Best practices for storing many certificates and private keys
I am responsible (among many other things) for managing TLS/SSL certificates for a couple dozen or so websites for a large multinational. Some sites are hosted on Apache, some are on IIS. I use openssl to generate private keys and csr; once certificates are issued by the certificate authority, if necessary, I convert them to PFX (for IIS).
As a result of this work, I have private keys and public certificates for nearly 2 dozen large public websites stored on my work laptop. The disk is encrypted and the login process requires username/password AND fingerprint scan, however I am still concerned about the safety and security of these. Frankly, I'm not so much worried that a malicious actor may get access to my laptop, but rather that I may loose the data due to theft/loss of the laptop or even due to a hardware failure. The other issue is that if I am unavailable for whatever reason (holiday?), other people in admin roles wouldn't have access to these certs.
I don't feel comfortable to sync these to a public cloud (AWS S3, Azure storage accont, onedrive - we do have onedrive enterprise). The other options I considered were git repo (onprem git server), on-prem shared storage, Azure vault, or simply compress the whole directory with all the certs with encryption (e.g. 7z with encryption) and then uploading/storing remotely.
My requirements are:
- Easy access to all of these files
- Any storage, especially outside my immediate working directory, is encrypted
- Other trusted people can access the certs in my absence
- Ability to bulk sync files with whatever remote location it may be
- Support for Windows and Linux
- (Optional) versioning, i.e. when I get a new cert, I have the ability if needed to access the old cert
What are my options and best practices for this work?
