PKI Recommendations#

This section outlines the recommended establishment, management, and security of Public Key Infrastructure (PKI) for business partners and customers of Silicon Labs. PKI plays a pivotal role in ensuring secure communication, data integrity, and authentication within our business ecosystem. This document sets forth recommended practices for the creation, management, and protection of secret keys and certificates by our partners and customers.

Scope#

These recommendations apply to all business partners and customers involved in transactions, communications, or collaborations with Silicon Labs and Silicon Labs Services that necessitate the use of PKI technology.

Responsibilities#

Business Partners and Customers Responsibilities#

  • Creation of Secret Keys and Certificates: Business partners and customers should generate their secret keys securely and procure associated digital certificates from reputable Certificate Authorities (CAs) or generating their own digital certificates in accordance with the recommendations in this document. It is imperative that secret keys are generated using robust methods and are not shared with unauthorized parties.

  • Protection of Secret Keys: Business partners and customers should implement comprehensive security measures to safeguard their secret keys against unauthorized access, loss, or theft. This encompasses encryption, access controls, regular key rotation where applicable, and employing secure storage methodologies. Backup and recovery of the secret keys is essential, and should be considered in case of disaster recovery needs. Keys should be stored in a well-managed and protected hardware security module (HSM).

  • Revocation and Renewal: Business partners and customers should promptly revoke compromised or no longer required certificates and renew certificates before expiration to maintain ongoing security. Affected parties should have a way to determine status of certificate revocation and/or renewal through a hosted certificate revocation list (CRL) or online certificate status protocol (OCSP).

  • Ensure Internal Security: In addition to the material security, business partners and customers should also maintain effective security around their organization and it's operations, staff and contractors. This means maintaining endpoints and infrastructure in a secure way, such as patching operating systems and applications, hardening user applications and restricting administrative privileges. People in the organization and those managing the keys and certificates should be verified as trusted and secure.

  • Audits: Business partners and customers should conduct regular audits of PKI and CA infrastructure and operations to confirm adherence to these recommendations and industry standards.

Security Controls#

NIST (National Institute of Standards and Technology) is an indispensable tool to navigate and strengthen cybersecurity systems and can be referenced as a guide for further recommendation on these Security Controls.

  • Access Controls: Business partners and customers should implement access controls to limit access to secret keys and certificates to authorized personnel exclusively. This includes implementing role-based access control (RBAC) and conducting regular access reviews to ensure that only essential individuals have access to sensitive cryptographic materials.

  • Encryption: All secret keys and sensitive certificate information should be encrypted during transmission and storage using robust cryptographic algorithms and protocols.

  • Key Management: Business partners and customers should adopt robust key management practices, encompassing key generation, storage, rotation, and destruction, in accordance with industry best practices and standards.

  • Monitoring and Auditing: Business partners and customers should implement monitoring and auditing mechanisms to monitor access to secret keys and certificates, detect unauthorized activities, and generate audit trails for compliance purposes.

Revision History#

This document will undergo periodic review and updates as necessary to reflect changes in technology, security requirements, or regulatory mandates.

Contact Information#

For inquiries or concerns regarding these recommendations, contact certificateauthority@silabs.com.