Storing X509 certificates in DB - Yea or Nay?

Question

I find myself needing to store public key certificates, and a single private key certificate for an in-house application.

A member of our team suggested storing the X509 certificates in the database, instead of storing it in the windows certificate store, as we have been doing up until now. I don't like re-inventing the wheel, but I have to at least consider the idea. it would mean keeping our data more centralized, which is good, I suppose.

The initial barriers that I can see are:

• The private key still needs to be stored somewhere, and I don't know if shoehorning it into a 'public key' table is a good idea. I don't like the idea of setting up a table for a single element, either. Perhaps just keep the private key as a local file? (.pfx file, for instance).
• Revocation Lists. We would probably have to set up a process to deal with revoked public keys.

I don't have a lot of experience with X509 certificates, so, my question is: Are there any other problems we are likely to encounter storing public key certificates in a database, instead of going with the windows certificate store?

It's worth bearing in mind that this application is going to be rolled out onto several business clients servers, so keeping all the data in a single place will make for easier backups. Oh, and the in-house app in question is being developed with C#..

Thanks!

Answer 1

What is the purpose of your application?

If you are handling all the crypto in your application, and can reference a PKCS#12 cert + private key file, then going the database route is probably fine.

If you need to use Windows Crypto API to access the certs, then you'll probably want to keep using the built-in certificate store. You gain some advantages here as you can protect the private key on an external device, like a smart card or Hardware Security Module (HSM).

You'll want to make sure that you go through a significant effort to protect the private key if you're storing everything on the local disk. Be sure to use a strong passphrase and use best practices to protect this passphrase in your app.

Answer 2

I would be reluctant to move the private key to any other location unless really necessary. Its not required if the key is being used for signing and would only be required if the key is being used for decrypting and you wish to archive it for the future. Even in this instance the certificate authority that issued the certificate would commonly be able to handle archival and recovery. This is certainly the case for the more popular CAs such as Microsoft and entrust.

If you must store it then encrypt it using AES and a key that you are able to protect either in an HSM(Hardware Security Module) or on a smartcard. Do not leave this key in plain text (in a file or the registry).

You would also wish to protect this key in transit between its generation location and the central database. SSL or VPN etc

Revocation lists are published by the Certificate Authority in most environments, usually to an LDAP or the directory or both.