WHITE PAPER
The Principles for Secure Certificate Storage
In essence , certificates are just pieces of digital data , contained in a file in the file system or in the computer ’ s working memory . All certificates are issued for a specific key pair in an asymmetric cryptographic process , with the public key of that pair stored in the certificate . Its counterpart , the private key , is kept apart from it , usually in a separate file on the certificate holder ’ s device . And this is where the security of the system can break down : The private key must never be accessed by anyone but the certificate ’ s holder . Even if the place of storage is secure , the private key has to regularly leave that safe environment for cryptographic operations in the CPU , making it again vulnerable to would-be attackers .
Even a building with the highest possible fences , toughest doors , and most complicated keys possible can be burgled if the keys are not kept safe . This simple example shows where the greatest danger lies and where there is the best potential for protection . The higher the CA stands in the hierarchy , the tougher its protections need to be . In the case of commercial CAs that issue certificates for https communication ( TLS ) on the Internet or for banks and major corporations , so-called Hardware Security Modules ( HSM ) are often used as a solution : closed systems that are particularly hardened against manipulation . They keep the certificate and key in a secure environment that it can usually , depending on the design , never leave . The keys are only ever used in this secure enclave , as not even the processor on board can be accessed from outside . All there is for users is an interface through which they can send requests into the system and from which they receive the output they need . The entire cryptographic operation happens inside that box . Should the system be attacked or even just opened , the keys stored on them will be automatically deleted or otherwise put out of use . These HSM are designed for use in data centers and specialized for a range of high-performance cryptographic operations , making them an expensive investment .
On the user ’ s side , certificates are stored either in a TPM module , specifically for PC users , or another secure element ( SE ) that can come in many shapes and forms and use a range of interfaces and Application Programming Interfaces ( APIs ) for communicating with applications . One very widespread standard is PKCS # 11 , from the Public-Key Cryptography Standards , which is already an integral part of CodeMeter Certificate Vault . Applications that support PKCS # 11 can work with CodeMeter Certificate Vault as their secure key storage . The PKCS # 11 interface takes care of all subsequent processes related to the secure storage and use of keys and certificates .
5