To establish an identity for a PKI server entity requires that the entity first create a private/public key pair and store the private key, encrypted, in a secure storage location. The public key, with proof of the owners identity, must be submitted to a CA that validates the owners identity and, if valid, issues a digital certificate that contains the owners public key. The location for storing the servers private key is commonly known as a keystore.

A keystore must allow the owner to manage the servers identity securely, so that the secrecy of the private key is not compromised. At a minimum, each private key (keystore entry) used to establish an identify in the keystore must be individually password-protected.