We recently bought a wildcard SSL cert for our domain. We converted all of the certs to a Java keystore, but now we are asking ourselves where we should store these for later use.
Do people use source control like BitBucket for these types of files or just generate every time it's needed, or something else?
We're wondering if there's a standard solution or any "best practices" around storing these certificates for future use.
Best Answer
There are multiple solutions:
One avenue is a specific key vault either a hardware based appliance, a hardware security module or a software based equivalent.
Another is to simply revoke the old key and generate a new one private/public key-pair when the situation arises. That somewhat shifts the problem from maintaining key security to securing the username/password of the account with the certificate provider and their procedures for re-issue. The advantage there is that most organisations already have a privileged account management solution e.g. 1 2
There are multiple ways of off-line storage, from printing a hard-copy of the private and public key-pair including the password (but that will be a female dog to restore) to simply storing them on digital media rated for long time storage.
Really bad places are GitHub, your team WiKi or a network share (and you get the idea).
Update 2015/4/29: Keywhiz seems an interesting approach as well.