SSL Certificate Guidance

To enable Field Encryption in Archer, it is advised that the certificate should be obtained from a trusted Certificate Authority (CA). However, you may choose to generate a self-signed certificate.

It is recommended that you use a hardware security module (HSM) for field encryption over a certificate in a local store.

Field Encryption certificate requirements

Certificates must meet the following requirements:

• The certificate is present in the local machine store as a personal certificate.
• The certificate is exportable.
• The certificate is not expired.
• The certificate has a key size of 2048 bits.
• The certificate has a private key.

How to secure a Field Encryption certificate

The certificate being used for encryption should have very limited access. Here are some of the security measures that should be taken to protect the certificate:

• Give Full Control and Read access to the certificate only to the Administrator account. All other accounts should have only Read access.
• Give the certificate read-only access to the following accounts:
  • In a server hosting the archer web application, only the AppPool account used by the web application should be given access (Read-Only) to the certificate.
  • In a server hosting archer services, for example, Configuration Service and Job Framework, only accounts used by the services should be given access (Read-Only) to the certificate.
• Revoke access for all accounts that are not required.
• Back up the encryption certificate regularly. The backup should be password protected and stored safely.

For recommendations on generating/installing an SSL Certificate using IIS, see the Microsoft TechNet Library.

For information about industry best practices, see the following:

• NIST SP 800-52
• PCI-DSS v3.2.1 - May 2018