Store the private key with a self-signed certificate. Replace the cert when it is issued.
Sent from Comcast mobile -----Original Message----- From: Matthew Hall To: security-dev Sent: 2013-02-20 00:27:51 +0000 Subject: Safe storage of RSA private keys before binding to X.509 cert Hello, I have a question about safely storing RSA private keys while waiting for a Cerification Request to be processed remotely so a signed X.509 Certificate will be returned. I want to store it inside the PKCS #11 KeyStore so it will be protected while we wait for the Certificate to become available, so that both can be bound together and then stored. However, the KeyStore APIs prevent this from succeeding: If public final void setKeyEntry(String alias, byte[] key, Certificate[] chain) is used with keyPair.getPrivate().getEncoded(), it throws UnsupportedOperationException. If public final void setKeyEntry(String alias, Key key, char[] password, Certificate[] chain) is used, it throws java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain. If one creates a RAW-type SecretKey using SecretKeySpec privateKeySpec = new SecretKeySpec(privateKeyBytes, "RAW"), and attempts to store the RAW SecretKey, it throws java.security.KeyStoreException: Cannot convert to PKCS11 keys caused by java.security.InvalidKeyException: Unknown algorithm RAW. How is one supposed to store the RSA PrivateKey in a FIPS-safe way, if the KeyStore refuses to handle it via any of these APIs? Several threads on StackOverflow also mentioned this issue, with no known workaround. Regards, Matthew.