Security Audits and Key Management

This section details the system's capabilities for security auditing, secure key storage management, and SCEP password handling. It provides tools and insights crucial for maintaining a strong security posture and ensuring compliance within the PKI.

Key Functionalities

Security Dashboard

• Endpoint: /security-audit/dashboard
• Description: Offers a comprehensive overview of the system's key security status.
• Information Provided:
  • Key Security Statistics: Total keys, number of legacy keys (using older encryption), and corrupted keys.
  • Overall Audit Statistics: Aggregated data from KeySecurityAudit records.
  • Recent Audits: A list of the most recent security audit events.
  • Legacy CAs: Identifies Certificate Authorities that are using older, less secure key storage mechanisms and require migration.
  • Unsecure SCEP Passwords: Counts the number of SCEP challenge passwords stored in plaintext.
  • Security Score: A calculated score reflecting the overall security posture, with deductions for identified vulnerabilities.
  • Recommendations: Actionable recommendations to improve the system's security based on the audit findings.

Audit Specific CA

• Endpoint: /security-audit/ca/{caId}
• Description: Performs a detailed security audit for a specific Certificate Authority.
• Audit Details:
  • CA Information: ID, common name, type, creation date.
  • Security Status: Indicates if the CA's private key is stored securely (secure) or using a legacy method (legacy).
  • Encryption Algorithm: The algorithm used for private key encryption (e.g., sodium_secretbox, laravel_crypt).
  • Private Key Salt: Indicates if a salt is used for private key encryption.
  • Key Last Rotated: Timestamp of the last key rotation.
  • Key Integrity Check: Verifies the integrity of the CA's private key.
  • SCEP Security Audit: Details on SCEP challenge password security, including counts of secure, active, and expired passwords, and presence of legacy plaintext passwords.
  • Recent Access Logs: Lists recent security audit logs specifically related to this CA.

Migrate CA to Secure Storage

• Endpoint: POST /security-audit/ca/{caId}/migrate
• Description: Initiates the migration of a specific CA's private key to a more secure storage mechanism (e.g., using sodium_secretbox encryption).
• Precondition: Prevents migration if the CA is already using the secure storage.
• Outcome: Reports success or failure of the migration and the new security status of the CA.

Batch Migrate Legacy Keys

• Endpoint: POST /security-audit/migrate-batch
• Description: Allows for the batch migration of all identified legacy keys (across CAs and other entities) to secure storage.
• Options: Supports a dry_run mode to simulate the migration process without making actual changes, useful for planning.
• Outcome: Returns results detailing the number of entities processed and migrated.

Create Secure SCEP Password

• Endpoint: POST /security-audit/ca/{caId}/scep-password
• Description: Creates a new, securely stored SCEP challenge password for a given Certificate Authority.
• Requirements:
  • password: Required string, minimum 8 characters, maximum 128 characters.
  • expires_in_days: Optional integer (1-365) to set an expiration for the password.
• Security: Passwords are hashed using Argon2id for secure storage.
• Outcome: Returns details of the created secure password, including its ID and expiration date.

List SCEP Passwords

• Endpoint: GET /security-audit/ca/{caId}/scep-passwords
• Description: Lists all secure SCEP challenge passwords associated with a specific CA.
• Details: Includes password ID, active status, expiration date, hash algorithm, creation date, and current status (active/expired).

Rotate CA Key

• Endpoint: POST /security-audit/ca/{caId}/rotate-key
• Description: Allows for the manual rotation of a Certificate Authority's private key.
• Requirements:
  • key_size: Optional integer (2048, 3072, 4096) to specify the new key size.
  • reason: Optional string (max 255 chars) to provide a reason for the rotation.
• Outcome: Reports success or failure of the key rotation and the key_last_rotated timestamp of the updated CA.

Inferred Specifications

• Proactive Security Posture: The system actively monitors key security, calculates a security score, and provides actionable recommendations to maintain a strong security posture.
• Secure Key Storage Enforcement: A core principle is the migration to and enforcement of modern, secure key storage mechanisms (e.g., sodium_secretbox encryption) for private keys, moving away from legacy methods.
• Key Integrity Verification: Mechanisms are in place to verify the cryptographic integrity of private keys, detecting potential corruption or tampering.
• SCEP Password Security: The system addresses the security of SCEP challenge passwords by promoting and facilitating their secure storage using strong hashing algorithms (Argon2id) and optional expiration.
• Legacy System Remediation: Provides dedicated tools for identifying and migrating legacy CAs and keys to enhanced security configurations.
• Configurable Key Rotation: Supports the manual rotation of CA private keys with options for specifying new key sizes, contributing to a robust key management lifecycle.
• Quantifiable Security Metrics: The calculated security_score offers a quantifiable measure of the system's security, with clear deductions for specific vulnerabilities (legacy keys, unsecure SCEP, corrupted keys).
• Actionable Security Recommendations: The system generates specific, prioritized recommendations to guide administrators in improving security.
• Comprehensive Audit Trail: All security audit activities, key migrations, SCEP password management, and key rotations are meticulously logged for compliance, forensic analysis, and operational transparency.
• Supported Key Sizes for CA Key Rotation: 2048, 3072, 4096 bits.
• SCEP Password Policy: Requires a password between 8 and 128 characters, with an optional expiration period of 1 to 365 days.