To establish an identity for a PKI server entity requires that the entity first create a private/public-key pair and store the private key, encrypted, in a secure storage location. The public key, with proof of the owners identity, must be submitted to a CA that validates the owners identity and, if valid, issues a digital certificate that contains the owners public key. The location for storing the servers private key is commonly known as a key store.
A key store must allow the owner to manage the servers identity securely, so that the secrecy of the private key is not compromised. At a minimum, each private key (key store entry) used to establish an identify in the key store must be individually password-protected.