Securely store ssl certificates with expiration date

A password manager like 1Password doesn't really fit best practice workflow for handling certificates. As someone who takes part in certificate management in our company, I have a bit of experience with this and know about best practice.

If you talk about some SSL certificate used on a web server for SSL/TLS, best practice is to automate renewal. Choose a CA that allows automated renewal with tools like CertNanny or ACME (Letsencrypt supports this). Everything is stored on the server that handles renewal, often the webserver itself, and your strategy to secure this data is to harden the server against attackers as well as a proper disaster recovery process (backup+restore).

The thing you might store in 1Password are login credentials and your company's validation details for the CA for backup purposes. But certificates and the corresponding private keys need to be renewed and recreated every once in a while, so automate this. If you don't automate renewal, and your manual renewal process gets neglected (this is unavoidable after a few years!), you will get these famous calls: "I'm unable to connect to your website - certificate invalid/expired!)"

If you operate your own CA for your private hosts in your intranet, arrange for automated renewal and certificate distribution. Active Directory has integrated certificate management.

Manual renewal is a process that will become obsolete, because the big browser manufacturers (Google, Mozilla) insist on shorter expiry dates in the future. In the past, it was 2 years. Currently 1 year is longest. 3 months is Letsencrypt. In the future, expect common certification expiry between 3 and 6 months. With such short expiry time, this is something that simply must be automated.

For example, with Letsencrypt and their acme-clients, automating for whatever web server software and whatever firewall and host security your have in your intranet is a breeze.