Archive for December, 2018

Java Keystore Management Best Practices

Posted on 12/07/2018 , Alexander Ananiev,

A keystore file is a database for storing application secrets (private keys), trust certificates and CA chains. Proper keystore management is extremely important for application security.

We’ve compiled a list of keystore-related best practices in our keystore management document.

Here is a brief summary of the document:

  • Do not use default keystore files
  • Change default keystore passwords
  • Update keystore (and keypair) passwords on a frequent basis
  • Properly secure your keystore passwords, don’t store them unencrypted
  • Keep private keys in a separate keystore file
  • Clean up your keystores, get rid of all the expired/unused keys, certs, and CAs
  • Do not package keystores inside jar/war files
  • Do not package keystores inside Docker containers
  • Do not store kystores in the application’s Git repo
  • Use different keystore files for different environments
  • Use the PKCS12 format