11

I'm fairly certain I shouldn't commit certificates into source control. Even if the repository is private and only authenticated coworkers (for example) have access to it. That would allow for accidental exposure (thumb drives, leaked credentials, whatever).

But, how should I store and secure certificates? I don't suppose I should just plop them on the network file server, for some of the same reasons I wouldn't put them into source control, right?

Is there some kind of secure certificate store that I can run? Does the Java "keystore" do that generally or is it specific for like weblogic servers or something?

Kat
  • 411
  • 3
  • 13

1 Answers1

8

This answer applies to SSL or PGP type digital certificates, which bind an identity to a public key. It has been pointed out to me that the question as originally asked did not specify what kind of certificate, so my answer may not fit the question.

Digital certificates which bind an identity to a public key do not need special security because they contain only the public key. There is no reason not to store a copy in your source code control system.

The corresponding private key does need to be kept secure, but will need to be installed in the server(s) or email client(s) which are identified in the certificate. So, the private key is necessarily exposed to anyone who has administrative access to those machines. Also to anyone who has access to backup tapes, etc.

You absolutely do need a backup of the private key; if it is lost, as through a disk failure, you'll need to replace the certificate with the corresponding public key. I keep mine on an encrypted volume for which a very few people have the key. (More than one person needs to know that decryption key. People really do get into accidents, quit their jobs, etc.)

Bob Brown
  • 5,323
  • 1
  • 20
  • 29
  • 2
    Good concise answer. Few points: OP didn't say key/cert are for SSL; code-signing doesn't identify server(s). For any Java program(s) not just Weblogic, a "JKS" format Java keystore is indeed usually the best place for the private-key (and cert/chain). (Java allows plugging-in different providers for many things including keystores, but most people use only the Oracle/Sun builtin providers.) For non-Java there may be options but PKCS#12 http://tools.ietf.org/html/rfc5208 aka PFX is the most portable. Both JKS and PKCS#12 are password-based encrypted. – dave_thompson_085 Aug 19 '14 at 20:26
  • Everything dave_thompson_085 said looks right to me. I assumed SSL, and we all know the derivation of ASSume. I apologize. Anthony Mastrean, could you please edit your question to specify what kind(s) of certificates we're talking about? – Bob Brown Aug 19 '14 at 20:36