Certificate Management Service encrypts private keys before it stores the private keys for certificates by using Key Management Service. This ensures the security of private keys.
Certificate Management Service uses accredited KMS to encrypt and store the private keys that are uploaded with your certificates and the private keys that are generated by using certificate signing requests (CSRs) during your certificate application.
Certificate Management Service stores private keys for certificates by using various asymmetric encryption methods. A private key is not stored in plaintext on disks. The plaintext appears in application memory only when necessary. For example, when you download a certificate, Certificate Management Service decrypts the ciphertext of the private key for the certificate. The plaintext appears in your server memory. This way, you can download the plaintext to your local computer over HTTPS.