7. Keystore

Keep your private keys on your own infrastructure.

Plan Requirement: The CertKit Keystore is a premium local security and compliance service and is only available on our Enterprise tier plans.

The CertKit Keystore is an on-premise service that manages private key generation and storage within your infrastructure. When active, CertKit’s cloud services only handle public material (CSRs and issued certificates). Private keys never leave the keystore host.

Source code is available at github.com/certkit-io/certkit-keystore.

Purpose

The Keystore is designed for environments with strict compliance or security requirements mandate that private keys remain isolated on local infrastructure.

Trade-offs

Using a local Keystore introduces several management requirements:

Backups: You are responsible for backing up the keystore. Lost keys cannot be recovered by CertKit.
Restricted Access: Manual downloads of PFX and Private Key files are disabled via the dashboard to ensure keys remain on-premise.
Enterprise-Only: The Keystore is only available with Enterprise CertKit plans.

Keystore UI

The Keystore page provides a per-certificate status table. Monitor this for error states, which indicate failed key generation attempts.