Java Keystore Management Best Practices
Posted on 12/07/2018 ,
A keystore file is a database for storing application secrets (private keys), trust certificates and CA chains. Proper keystore management is extremely important for application security.
We’ve compiled a list of keystore-related best practices in our keystore management document.
Here is a brief summary of the document:
- Do not use default keystore files
- Change default keystore passwords
- Update keystore (and keypair) passwords on a frequent basis
- Properly secure your keystore passwords, don’t store them unencrypted
- Keep private keys in a separate keystore file
- Clean up your keystores, get rid of all the expired/unused keys, certs, and CAs
- Do not package keystores inside jar/war files
- Do not package keystores inside Docker containers
- Do not store kystores in the application’s Git repo
- Use different keystore files for different environments
- Use the PKCS12 format