TLS Certificate

1. Ensure that the product is TLS enabled with strong private key, and has a valid and strong certificate from a trusted CA. This helps to overcome man-in-the-middle attacks and takes care of transport layer security.
2. The private key used to generate the cipher key must be strong. The best practice is to select a key size of at least 2048 bits. 
3. Protect the private keys with restricted access to privileged users only.
4. Avoid using wildcard certificates for product configuration. Add all the required DNS names that could be used to point to the product.
5. During product deployment, avoid setting up the complete chain of certificate by knowing the certificate chain (including intermediary certificates). This can lead to deployment issues. .
6. TLSv1.2 is recommended secure protocol as it supports modern authenticated encryption when compared to TLSv1.1. 
7. TLSv1.0, SSLv3.0 and SSLv2 are prone to major vulnerabilities like BEAST, POODLE attack, and DROWN attack respectively. So, check the organization policies before choosing a particular protocol version.
8. If the policy in the organization implies to use TLSv1.2 only, make sure to disable all lower protocols. Seeproduct documentation for configuration changes needed for strict enforcement of TLSV1.2 protocol.
9. Disable weak ciphers (DES/3DES, RC4). Prefer modern ciphers (PES, ChaCha20) and modes (GCM).