A keystore file is a database for storing application secrets (private keys), trust certificates and CA chains. Proper keystore/truststore management is extremely important for application security.

We’ve compiled a list of keystore-related best practices in our keystore management document.

Here is a brief summary of the document:

  • Do not use default keystore/truststore files (set “javax.net.ssl.trustStore” system property accordingly)
  • Change default keystore passwords
  • Update keystore (and keypair) passwords on a frequent basis
  • Properly secure your keystore passwords, don’t store them unencrypted
  • Keep private keys in a separate keystore file
  • Set permissions for keystore files to read-only. The account used to run the application should be the owner of the file.
  • Clean up your keystores, get rid of all the expired/unused keys, certs, and CAs
  • Do not package keystores inside jar/war files
  • Do not package keystores inside Docker containers
  • Do not store keystores in the application’s Git repo
  • Use different keystore files for different environments
  • Use the PKCS12 format