I'm currently developing a PowerShell Runbook that generates reports from multiple client tenants, and I need some guidance on the best practices for handling certificates. I've been testing with one demo tenant but need to scale this solution. My main question is: should I create separate certificates for each client, meaning each client would have its own certificate in their tenant along with a matching certificate stored in our key vault? Or am I better off using a single certificate for all clients, where they share the same certificate in the app registrations and I only need to manage one certificate from the runbook? I feel that option one is more secure, though I worry it might be too complex to manage, while option two feels risky despite the fact that the certificate would be in our tenant with limited access. What do you all think?
2 Answers
I get your concerns, but remember that having all your certificates in one key vault means if one client gets compromised, the risk goes up for all of them. It's a bit of a double-edged sword—while you're centralizing management, you're also creating a potential vulnerability. You might want to weigh the risks versus the management effort required for each approach.
While your question is interesting, it might help to think of certificates like passwords. If you ask whether 50 tenants should use the same password, the answer is probably no. What would happen if one tenant got compromised? You'd have to change the password for all 49 tenants, which could be a nightmare. Sure, managing 50 certificates can be more work, but that overhead can often be automated, and it’s all about striking the right balance between security and convenience.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures