1

Background

I was a bit surprised that several CAs do not allow anymore to send a plain old CSR in text form to them which was created in the classic fashion with OpenSSL or similar.

But this would mean that the CA gets a copy of my key. Which is definitely anything but best practice (also see this question).

What I did so far

Here's what I did so far. All with a recent Firefox version as recommended by the FAQ.

I started the process with a reseller of Comodo CA by entering all the details for contact et cetera as well as some of the fields that would later appear in the certificate (e.g. contact email).

Then, proceeding to the next step, I noticed very brief "popup" which looked like something "key generation" related. And then I noticed there was no way to upload the CSR and backed out for now.

Question

How can I be sure that the private key whether generated by Firefox or by me, never actually leaves my machine? Right now this process looks very much opaque to me.

Is there any way of compelling Firefox to make this process a bit more transparent such that I can be sure the private key never leaves my machine? I'm looking for settings or alternatives that allow me to insert a pre-generated CSR in text form.

0xC0000022L
  • 1,603
  • 2
  • 15
  • 20

0 Answers0