To ensure secure storage of private keys and certificates, you need to use a keystore. You can use the IBM® Global Security Kit (GSKit) to create a PKCS#12 keystore (with the .p12 extension) or a CMS keystore (with the .kdb extension).

Certificate Management System (CMS) is the native GSKit keystore, containing:
  • X.509 certificates.
  • Certificate requests (pending signing by an authority).
  • Private keys for the stored certificates where applicable.
If a certificate has an associated private key, it is stored in an encrypted state in the keystore with its associated certificate.
Note: Private keys cannot be stored without an associated certificate.