Private key storing
Security just tells you to encrypt everything but won't tell you how to achieve that in your particular software stack. You have to store the encryption key in a protected manner. It could be stored at an HSM, a smartcard, a crypto token, at the server hard disk, even written in a paper (split and stored in vaults). The key can be unencrypted (in the clear) or encrypted with another key. If you are talking about encryption keys that are part of your business application, you have to store them encrypted but your software should be able to decrypt it without manual intervention.
Public key storing
But what about the public key? Verification of digital certificates fails even more often than users loss their private keys because CA is a much bigger and interesting target for cybercriminals. As an alternative to a traditional system of chain of trust, blockchain provides a permanent and trusted timestamp by design. To undermine this timestamp would require massive computational effort — rewriting the entire blockchain . This ultimately gives Issuers the ability to rotate their issuing keys without undermining the ability of 3rd parties to reliably verify transactions. The blockchain is a distributed ledger that does not depend on any trusted party like a Certificate Authority. The effect is improved availability, the capacity to independently verify, and redundancy that avoids single points of failure.
Top comments (1)
For private keys, there is a NIST standard that is really helpful:
nvlpubs.nist.gov/nistpubs/SpecialP...
For public keys, the certificate transparency initiative has been going for few years and all major browsers now support it:
certificate-transparency.org/what-...
Unsurprisingly it's a cryptographic ledger system of when certificates were issued :)