7.3 Credential stores used in MSS

Management and Security Server (MSS) stores certificates and keys in several locations. Here’s how the stores are used during a TLS transaction.

Keystores contain a party’s own certificate and a private key. The party’s keystore is used to authenticate itself when presented to another party (server or client).

Trust stores contain the certificates from other parties (servers or clients). The trust store may contain certificates from trusted Certificate Authorities (CAs) as well as other parties’ self-signed certificates. Trust stores are used to verify the certificates received during a TLS transaction.

During a TLS transaction, the keystore is used to authenticate the sender to the receiver. The receiver verifies the certificate presented by checking its list of trusted certificates in the trust store.

MSS uses Bouncy Castle as the provider for keystore operations, and the .bcfks (Bouncy Castle FIPS keystore) extension is used for cryptographic files.

The tables that follow identify and describe the credentials stored in each location.