A keystore file is a database for storing application secrets (private keys), trust certificates and CA chains. Proper keystore/truststore management is extremely important for application security.
We’ve compiled a list of keystore-related best practices in our keystore management document.
Here is a brief summary of the document:
- Do not use default keystore/truststore files (set “javax.net.ssl.trustStore” system property accordingly)
- Change default keystore passwords
- Update keystore (and keypair) passwords on a frequent basis
- Properly secure your keystore passwords, don’t store them unencrypted
- Keep private keys in a separate keystore file
- Set permissions for keystore files to read-only. The account used to run the application should be the owner of the file.
- Clean up your keystores, get rid of all the expired/unused keys, certs, and CAs
- Do not package keystores inside jar/war files
- Do not package keystores inside Docker containers
- Do not store keystores in the application’s Git repo
- Use different keystore files for different environments
- Use the PKCS12 format