Private keys are the cornerstone of TLS security, but also the easiest thing to get right. After all, CAs won’t be willing to issue certificates against weak keys. But despite our focus on key sizes, the weakest link is usually key management, or the job of keeping the private keys private. We’ll touch upon that in this section. Equally important are certificates, which build upon the keys with important metadata, such as the permission to associate a certificate with a particular domain name.