A keystore file is a database for storing application secrets (private keys), trust certificates and CA chains. Proper keystore/truststore management is extremely important for application security.

We’ve compiled a list of keystore-related best practices in our keystore management document.

Here is a brief summary of the document:

* Do not use default keystore/truststore files (set “javax.net.ssl.trustStore” system property accordingly)
* Change default keystore passwords
* Update keystore (and keypair) passwords on a frequent basis
* Properly secure your keystore passwords, don’t store them unencrypted
* Keep private keys in a separate keystore file
* Set permissions for keystore files to read-only. The account used to run the application should be the owner of the file.
* Clean up your keystores, get rid of all the expired/unused keys, certs, and CAs
* Do not package keystores inside jar/war files
* Do not package keystores inside Docker containers
* Do not store keystores in the application’s Git repo
* Use different keystore files for different environments
* Use the PKCS12 format