I find myself needing to store public key certificates, and a single private key certificate for an in-house application.
A member of our team suggested storing the X509 certificates in the database, instead of storing it in the windows certificate store, as we have been doing up until now. I don't like re-inventing the wheel, but I have to at least consider the idea. it would mean keeping our data more centralized, which is good, I suppose.
The initial barriers that I can see are:
I don't have a lot of experience with X509 certificates, so, my question is: Are there any other problems we are likely to encounter storing public key certificates in a database, instead of going with the windows certificate store?
It's worth bearing in mind that this application is going to be rolled out onto several business clients servers, so keeping all the data in a single place will make for easier backups. Oh, and the in-house app in question is being developed with C#..
Thanks!
What is the purpose of your application?
If you are handling all the crypto in your application, and can reference a PKCS#12 cert + private key file, then going the database route is probably fine.
If you need to use Windows Crypto API to access the certs, then you'll probably want to keep using the built-in certificate store. You gain some advantages here as you can protect the private key on an external device, like a smart card or Hardware Security Module (HSM).
You'll want to make sure that you go through a significant effort to protect the private key if you're storing everything on the local disk. Be sure to use a strong passphrase and use best practices to protect this passphrase in your app.