The SSL/TLS protocol uses a pair of cryptographic keys – one public and one private to secure and authenticate connections. These keys are generated together as a pair and work in tandem during the TLS handshake process. The public key is used to encrypt, and a private key is used to decrypt the data.

While public keys are available to anyone as part of your SSL certificate, the private key is stored on the server and kept secret. When you fill in a form with personal information and submit it to the server, the public key encrypts the information and protects it from cyber-attackers. Once it reaches the server, the private key decrypts this information. The key pair ensures that nobody else can decode your sensitive data.

The private key is a text file created during the Certificate Signing Request (CSR) using a unique random number. You should always keep it in a safe place and never share it with anyone. Even if it’s just a text file, it’s essential for data integrity. You can damage your reputation beyond repair if your private key is compromised. Not to mention the financial losses you may incur. In this article, we’ll show you the best practices when it comes to private key storage.

Where to store the private key?

Generally, the best practice is to generate the private key along with the CSR on the server where you intend to install the SSL certificate. This way, you eliminate the risk of vulnerability during the transfer from one machine to another. However, sometimes you may need to create the private key via an external CSR generator tool. For this reason, there are special files called key stores that can safely store your public and private key pair.

Keystores (PFX and KS files)

PKCS#12 (.pfx or .p12) and .jks* (created by the Java keytool) are special files containing your public/private keypair. You can store these files anywhere, including remote servers. Their main security appeal is a password that protects the contents. Anytime you want to use your private key, you have to enter a strong password.  Be sure to create a sophisticated, random password if you use this method. Another benefit of such files is that you can easily distribute copies if multiple people need to use the certificate. Just make sure you completely trust them and their intentions when sharing the private key password.

Hardware Storage

If you’re looking for a bulletproof way to store your private keys, then you should go with physical devices such as USB Tokens, Smart Cards, or Hardware Storage Module (HSM). With such devices, the attackers must first gain access to them, which is significantly more unlikely in the real, physical world. The trick here is not to leave the portable devices such as USB Tokens and Smart Cards connected. As for HSMs, in both theory and practice, they should offer the best protection but are expensive and impractical for most users.

What happens when a private key is compromised?

Sometimes, despite your best efforts, your private key may become compromised.  If you suspect or detect a security breach, you should submit a certificate revocation request to your Certificate Authority. Depending on your particular situation, the CA may have up to 5 days to revoke the certificate. If it finds clear evidence that the certificate request was not authorized, the certificate must be revoked within 24 hours.

What to do if you’ve lost your private key?

You don’t have to submit a revocation request if you’ve accidentally deleted the file and there’s no backup. In this case, all you have to do is contact your CA and ask for your certificate to be reissued. However, if your private key may fall in someone else’s hand as a result of a lost or stolen hard drive, it’s safer to ask for certificate revocation.

Conclusion

The private key is a critical component of your SSL certificate and data protection. It’s imperative to keep it safe by following the best industry practices. While no one is immune to data breaches, taking the necessary preventive measures reduces the risk associated with a compromised private key.