This clause provides guidance to consider in the deployment of 5GC certificate management procedures that have been left to implementation.
The normal procedure of update and renewal of 5GC NF certificates is managed by CMP protocol as described in clause X.3.1.
Nevertheless, the certificate management framework can be severely impacted by special critical circumstances, which can derive in simultaneous updates of vast number of certificates, causing a potential partial or complete disruption of the service. For example, a compromised security algorithm, the disclosure of broken cryptographic primitives, the revocation of CA root certificates or multiple certificates with same expiration data, are some of the special circumstances triggering the certificate update procedure.
This clause lists a few practical recommendations to be considered in NF certificate update procedure with the aim of mitigating potential issues or disruptions due to outages or overload situations. These recommendations can be deployed and implemented via internal configuration, operator policies and other mechanisms and functionalities in the operator PKI infrastructure, OAM systems, orchestration systems, etc.
-
The NF certificate updates can be configured in the operator PKI, and consequently the procedure can be initiated in advance before the certificate expiration time. For example, making use of different time interval/periodicity based on the NF type when configuring certificate update policies. Observe that the NF type is included in the certificates as per the profile in clause 6.1.3c and hence can be checked there while configuring such policies.
-
The operator PKI does not have to update the certificates with the same or similar expiration time simultaneously. Furthermore, the certificate update policies can take into consideration the expiration time and the triggers of the procedure being configured in advance. Certificate updates policies can be configured, for example in the operator PKI, to create different batches of certificates to be updated sequentially or with certain prioritization criteria.
-
Certificate expiry related alarms reported by network management systems, operator CA announcements for certificate revocations (e.g., via CRL, OCSP, etc.), and any other type of certificate related event, can be monitored with the purpose of mitigating the risk of service unavailability due to above mentioned special circumstances.
The certificate management framework in 5G Core might need to work with certificates that belong to different domains, such as customer 3rd party slices, possibly with different requirements in terms of certificate lifecycles, CA(s) security policies potentially managed by administrators of multiple stakeholders (e.g., 5G Core operator, network slice customers/tenants) etc.
Network slice customers being offered certain slices can require performing management and operation tasks for the certificates of slice-specific NFs over operator's CA, or even to use their own CA and certificate management procedures for all or part of the slice-specific NFs. In this case, operator and slice customer may need to agree on mechanisms to establish the trust between operator and customer domain and automate certification lifecycle management across operator CAs/RAs and third parties CAs specific for slice(s).
Trust relationship and secure communication between the different entities involved in the network slicing certificate management, i.e., NF management functions (OAM), operator RA/CA and CAs (root CAs, or sub-CAs) specific for slice(s), may need to be established. Operator and slice customer may need to support capabilities to allocate a root CA/sub-CA to sign slice specific certificate for a NF, and may need to be able to manage such slice-specific certificates within the slicing orchestration framework to align with the network slice lifecycle.
Service Based Architecture (SBA) is likely to be deployed in an all-software multivendor environment. It is imperative that the underlying virtualized infrastructure hosting SBA NF is secured for confidentiality, integrity, and replay protection between authenticated endpoints.
Also, the security of the certificate management relies on robust secure key management. It includes confidentiality and integrity of the private key while at rest. All the life cycle stages of the cryptographic key, such as key generation and key rotation, need to follow secure practices.