Best Practices to Store the Private Key

To protect and authenticate connections, the SSL/TLS protocol employs a pair of cryptographic keys, one public and one private. These keys are created in pairs and function together throughout the TLS handshake phase. Encryption is done with a public key, and decryption is done with a private key.

While the public key is made public as part of your SSL certificate, the private key is kept private and held on the server. The public key encrypts the information and protects it from cyber-attackers when you fill out a form with personal information and send it to the server. The private key decrypts the information once it reaches the server. Nobody else can decode your sensitive data thanks to the key pair.

Where to store it?

The ideal practice is to generate the it as well as the CSR on the server where the SSL certificate will be installed. This way, the possibility of vulnerability during the transfer from one machine to another is eliminated. However, you may need to use an external CSR generator tool to generate the private key on occasion. As a result, key stores are special files that can safely store your public and private key pair.

Keystores (PFX and KS files)

Special files containing your public/private keypair are PKCS#12 (.pfx or.p12) and.jks* (produced by the Java key tool). These files can be stored anywhere, including on remote servers. The password that protects the contents is its main security appeal. You must enter a strong password every time you wish to use your private key. If you use this strategy, make sure your password is complex and random. Another advantage of such files is that if numerous persons need to utilize the certificate, you can easily distribute copies.

Hardware Storage

If you want to keep your private keys safe, use physical devices like USB Tokens, Smart Cards, or Hardware Storage Modules (HSM). In order to attack such devices, attackers must first acquire access to them, which is much rarer in the actual world. The key is to not leave any portable devices connected, such as USB Tokens and Smart Cards.

What happens when a private key is compromised?

Despite your best efforts, your private key may be compromised at times. If you suspect or discover a security issue, you should contact your Certificate Authority and request certificate revocation. The CA may have up to 5 days to revoke the certificate, depending on your situation. The certificate must be canceled within 24 hours if it discovers clear proof that the certificate request was not authorized.

What to do if you’ve lost your private key?

If you’ve mistakenly deleted a file and don’t have a backup, you don’t need to submit a revocation request. In this instance, all you have to do is contact your CA and request a reissue of your certificate. If your private key is at risk of falling into the wrong hands as a result of a lost or stolen hard drive, it’s best to request certificate revocation.


It is an important part of your SSL certificate and data security. It’s critical to maintain it secure by adhering to industry best practices. While no one is completely safe from data breaches, adopting the appropriate precautions decreases the chance of a compromised private key.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Select your currency