18

I always assumed that the process for getting a (trusted, not self-signed) certificate was more or less like this:

  1. You generate a public and private key pair
  2. From this key pair you generate a certificate
  3. You submit your public key, certificate and other (company) information to a CA
  4. The CA checks that the information you provided is correct
  5. The CA signs your certificate

However, lately I am doubting this. People told me that in fact the CA itself generates the public and private key pair and certificate and signs it and sends all of that to you... This would seem to me to be very insecure in the sense that all private keys of all certificates would be in the hands of just a few CA's.

I have been reading this question with a lot of interest: How do certification authorities store their private root keys?. However it only discusses the CA's own private keys.

So do the CA's have a copy of the private keys of the certificates they sign or not?

Stijn de Witt
  • 283
  • 2
  • 7

2 Answers2

24

Depending on how the CA does things, it may or may not have a copy of your private key. Usually it doesn't.

The normal method is that you generate your private/public key pair on your own machine, then send the public key to the CA as part of a certificate request. The CA assembles and signs the certificate, and sends it back to you. Your private key never left your machine, and the CA never saw it.

However, in some cases, it is a good idea to let the CA generate the key pair, and send it to you. One situation where this is desirable is for asymmetric encryption keys: if you lose a private key, then you lose all the data which has been encrypted with the corresponding public key, since you can no longer decrypt it. Therefore, encryption private keys should be backupped somewhere, and having the CA generate the private key makes it easy for the CA to enforce a comprehensive, inescapable backup system.

To know what happens with a specific CA, have a look at what they return to you: if the CA sends to you a PFX (PKCS#12) archive, then CA has the private key, or at least had the private key (whether it saved it is another matter). On the other hand, if the CA sends to you a raw certificate only, then it does not have the private key.

In any case, the whole process should be documented by the CA with which you are doing business; if the CA does not document what it does, and in particular where private keys are generated and whether they are stored or not, then find another CA. CA which do things opaquely cannot be trusted. Indeed, it is a basic requirements of all "CA best practice guides" (e.g. Web Trust) that a CA must document everything.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
2

When the CA signs the locally generated keypair, the private key is never seen by the CA server.

If you use IE in a corporate environment, or a similarly configured EXE, it may be possible possible for that website to request the ActiveX control to upload the private key to the CA for key archival/escrow purposes.

makerofthings7
  • 50,488
  • 54
  • 253
  • 542