Safe keeping of private key of your certificate

The safe keeping of private keys is 'key' for public key cryptography. Someone that can obtain your private key can use this key to impersonate the rightful owner via all communications and transactions on encrypted networks. Therefore, your private key must be in the possession only of authorized users only, and they must be protected from unauthorized use.

In general, you can provide more security for private keys by doing the following:

  • Make sure that the physical- and network security for computers and devices where private keys are generated and stored is in place.
  • Make sure that you never share your private key via a public medium in plain format. Xolphin never asks for private keys, neither do we possess them.


When generating an CSR on a Windows system, the key is kept in the Certificate Store on the machine itself. Only by exporting the keypair in PFX format makes the key available outside the system, but the PFX is proteced by password encryption. Keeping both the PFX file and password safe should be sufficient for unauthorized use.


Certificates and private keys are stored in the Keychain utility. The Keychain is protected by the login password, so it is wise to always set a password on your user account. To add extra security to your Keychain, it is possible to set a different password for the utility. When the computer goes idle, the Keychain utility will automatically lock itself.


On Linux systems the key is mostly generated with OpenSSL, and stored as an PEM formatted file. You should make sure that it is kept in a directory not accessible other than root, with secure privileges:

 chown root *.key *.csr
 chmod 600 *.key *.csr


Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues