Where do companies typically store SSL certificates for future use?

Solution 1:

No, SSL certificates dont go in source control, at least not the private key part.

Treat them like you would a password. Ours actually get stored the exact same way our passwords do - in KeePass. It allows you to attach files, and is encrypted.

Solution 2:

There are multiple solutions:

One avenue is a specific key vault either a hardware based appliance, a hardware security module or a software based equivalent.

Another is to simply revoke the old key and generate a new one private/public key-pair when the situation arises. That somewhat shifts the problem from maintaining key security to securing the username/password of the account with the certificate provider and their procedures for re-issue. The advantage there is that most organisations already have a privileged account management solution e.g. 1 2

There are multiple ways of off-line storage, from printing a hard-copy of the private and public key-pair including the password (but that will be a female dog to restore) to simply storing them on digital media rated for long time storage.

Really bad places are GitHub, your team WiKi or a network share (and you get the idea).

Update 2015/4/29: Keywhiz seems an interesting approach as well.


Solution 3:

If you put the private key in source control, anyone who has access to it will be able to impersonate your server. If your webserver is not using PFS (perfect forward secrecy) then its also possible to decrypt any captured SSL traffic with commonly available open source tools like Wireshark.

You can protect the key by DES or AES encrypting it with a passphrase using OpenSSL. OpenSSL is available for Linux, OSX and Windows.

OpenSSL can also remove the passphrase when a passphrase is inconvenient (eg. on a webserver that starts automatically but doesn't support automatic entry of passphrases).

Adding a passphrase using AES encryption (more secure than DES):-

openssl rsa -aes256 -in private.key -out encrypted.private.key

Removing a passphrase (you will be prompted for the passphrase):-

openssl rsa -in encrypted.private.key -out decrypted.private.key