Abstract
When you use CertKit, your private keys live in CertKit’s database, encrypted at rest. We’ve written about why the actual risk is smaller than it sounds. But some organizations have policies that prohibit storing private keys with any third party, regardless of how they’re protected. That policy isn’t going away.
The Local Keystore enables those organizations to use CertKit and still keep their keys local.
How it works
The Local Keystore runs as a service on a server inside your infrastructure. When CertKit needs to issue or renew a certificate, it asks the Keystore to generate the private key and CSR locally. The Keystore hands back the CSR, CertKit handles ACME validation and gets the certificate signed, and the result comes back to the Keystore. The private key never went anywhere.
You still get everything CertKit normally handles: renewal scheduling with ARI support, certificate distribution, and verification. You just don’t have to hand us the keys to make it work.
It deploys the same way as the CertKit Agent, a service install snippet for Windows or Linux. It’s written in Go and published under the Elastic license, so you can read the source and verify it does what we say. When you install it, your existing certificates migrate automatically from CertKit’s central storage to your Keystore.
Agents at version 1.7.0 or higher automatically pull certificates from the keystore once it’s running. No reconfiguration, no re-enrollment. One install on the keystore host, and everything follows.
Disadvantages of owning your keys
The server running your keystore is mission-critical infrastructure. If it’s offline when a certificate needs to renew, that certificate doesn’t renew. If you lose your keys without a backup, they’re gone, and you’ll have to regenerate everything from scratch.
Treat it that way: proper uptime, monitored availability, encrypted backups you’ve actually tested. This isn’t something to run on a spare VM. CertKit handles that automatically, so the overhead may not be worth it to everyone.
The Local Keystore is available now for Enterprise customers in beta. Get in touch to enable it for your account.
CertKit automates certificate lifecycle management, including on infrastructure where private keys can’t leave the building.
Comments