Where should we store the cert and private key?

Where should we store the cert and private key ?

MySQL ? MongoDB ? or what ?

How CA keep the cert and private key ?

What kind of datebase they prefer ?

Why?

This depends on what you will be using the certificates for. Most users use these certificates for web servers (but they can be used for various other services) and store them in the normal file system.

The public part of the certificate is literally public and can be read by anyone. For TLS to work whichever service is using the certificate also needs to be able to read the private key.

If storing certificates in a database the convention would be to use PEM (base64 encoded text) format but you can store it as DER (binary/bytes) as an alternative.

3 Likes

Thank you for this answer.

Thank you for this answer.

I wonder know , If I am a CDN provider, where should I keep cert for my client?

The cert is public, so store it wherever is most convenient for your architecture.

The private key is private and needs to be kept secure. What kind of storage you use (file system, MySQL, or whatever) isn't nearly as important as what your security controls are around it, what processes have access to it when, keeping the systems involved current with security patches, and so on.

Well, I'm not sure what CAs do for their keys running their web site, but for the private keys that they use for their root and intermediate certificates, they're stored in Hardware Security Modules (HSM) which allow computers to sign with them but don't give the computers direct access to the private keys. You can find a little bit about Let's Encrypt's architecture, for example, in this recent blog post talking about some hardware upgrades they've completed:

There's a whole section in there on the HSMs they use and their performance characteristics.

I don't know if the answer really changes if you're a CDN, it probably just means that you have a lot more certificates to secure, and a lot more eyes (both "good guys" and "bad guys") looking at your infrastructure.

1 Like

Operating a CDN is a pretty large infrastructure engineering topic.

I'd suggest that you need someone on your technical staff that basically already knows 10 different ways this could be done. High availability distributed caching secrets stores integrated on-demand into your CDN endpoints, etc.

Storing the certs in a database (if you even need to do that) is kind of the easy part of this problem.

4 Likes

Thank you for these professional views.

It's very helpful for me.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.