Security Hygiene

Regular security maintenance prevents credential compromise and certificate-related outages.

What this page covers

• SSH key rotation: replacing old keys and removing stale ones
• OpenSSL certificate renewal: checking expiry and renewing manually
• htpasswd management: adding, updating, and removing users
• Secrets rotation for Gitea, YouTrack, and registry credentials
• Firewall audit: reviewing open ports

SSH key rotation

Periodically rotate SSH keys, especially when team members leave:

1. Generate a new key pair: ssh-keygen -t ed25519 -C "your-email"
2. Add the new public key to ~/.ssh/authorized_keys on all servers.
3. Verify the new key works before removing the old one.
4. Remove the old key from ~/.ssh/authorized_keys.

OpenSSL certificate renewal

For manually managed certificates (not Let's Encrypt auto-renew):

# Check certificate expiry
openssl x509 -enddate -noout -in /path/to/cert.pem

# Renew (generate new CSR and submit to CA)
openssl req -new -key server.key -out server.csr

htpasswd management

# Add or update a user
htpasswd -B /etc/nginx/.htpasswd username

# Delete a user
htpasswd -D /etc/nginx/.htpasswd username

# List users
cut -d: -f1 /etc/nginx/.htpasswd

Related reference docs

• SSH Hardening
• OpenSSL Reference
• htpasswd Reference