Keystores

The server as well as the client have reasons to keep their key and certificates needed for TLS communications in a safe place. The server mainly wants to make sure that its private key remains private. Whereas the client is concerned with the certificates being authentic, i.e. that they have not been manipulated. For both purposes a keystore is used to keep encryption keys and certificates in a safe and organized place. As an abstract concept, a keystore can be implemented in different ways: as a collection of files in a directory structure with restrictive access permissions, in some proprietary format of a "database file" or in a file with a standardized format. Keeping so called "PEM" files in a directory is an example for the first kind of keystores and can be used with OpenSSL. The proprietary "CMS" format of "*.kdb" files implemented by IBM's GSKit is an example for the second kind. This section concentrates on the public PKCS #12 standard for keystore files, an example for the third implementation kind.

PKCS #12 defines a file format for storing different cryptography objects in a single file. It is part of the Public-Key Cryptography Standards (PKCS) family of standards published by RSA Laboratories. PKCS #12 is the successor to Microsoft's "PFX" and therefore offers some compatibility between these two formats.

In addition to (local) file keystores, there are also several remote keystore services. Proprietary examples of these are Amazon Web Services Key Management Service (AWS KMS) and Microsoft Azure Key Vault. Key Management Interoperability Protocol (KMIP) services are available from several vendors or providers and adhere to the public KMIP standard.