15

I would like to obtain a trusted S/MIME certificate, but all the certificate authorities I have asked so far generate the keypair on their server, sign the certificate and send me both the private key and public signed certificate.

It seems to me that this unnecessarily exposes my private key to the Certificate Authority, and in the light of PRISM many others besides, I don't understand why they ever need see my private key.

Creating an untrusted certificate on my machine with openssl is not a problem. Does anyone know of a Certification Authority who would sign an already created public key without ever having access to my private key?

I'm aware that an OpenPGP based solution would avoid this problem, but very few people and email programs use it.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
user1043479
  • 253
  • 2
  • 4
  • related: [Where does StartSSL generate the cerificate, server or client-side?](http://security.stackexchange.com/questions/22680/where-does-startssl-generate-the-cerificate-server-or-client-side) – Tobias Kienzler Aug 02 '13 at 13:36

2 Answers2

10

It's not standard for a commericial CA to insist on making your private keys. For reasons you mention.

Here's a link pointing to a collection of CA providers that suggests (and rightfully so) that the typical thing is for your browser to create the key pair and then send the Certificate signing request to the CA. In my experience with high end Verisign Certificates, that is true. I never tried the free/cheap solutions.

Keep in mind, even when the CA walks you through a browser based request, you may very well have the private key stored purely on the browser - CA companies spend a certain amount of effort on browser compatibility testing to make that possible. Don't assume that the server is generating the key just because you are using a browser. Unless it provides "key escrow" my experience has been that this is unlikely.

For the most part, my experience with CA companies has been that they REALLY don't want to take in errant form factors - if you want to send a homemade request for certificate siganture, you are likely to need to find a service that costs more... the reason is pure cost - there's usually a lot more hand holding involved in this approach as the ways to mess this up are numerous and a "generic" certificate request often has to be messed with to meet the security policy and settings required by the CA.

If you absolutely must generate certs with OpenSSL, I'd say look for server provisioning options that let you configure it to look like an S/MIME certificate. Prepare to pay server cert costs.

If not, double check the process and verify that keys are generated on the browser.

utapyngo
  • 103
  • 5
bethlakshmi
  • 11,606
  • 1
  • 27
  • 58
  • 2
    Thanks, I emailed around and globalsign.eu allowed me to do this. I had to choose the advanced options, then state that I would upload a CSR at collection time – user1043479 Jun 14 '13 at 19:50
  • 1
    @bethlakshmi I need to lodge a complaint against a commercial service. But before doing so, I need to proof I contacted their customer support (they have no physical address and no phone numbers). Jurisprudence only accept e‑mails signed with a s/mime certificate submitted through a regular ᴄꜱʀ. Do you know a certificate authority which offers s/mime certificates [through a regular ᴄꜱʀ](https://henrytodd.org/notes/2013/generating-your-own-keys-with-smime/) (and not even having the private keys generated in browser) ? If I use browser generated private keys my contact claims will be challenged. – user2284570 Dec 15 '17 at 10:47
  • I’m living in a place not supported by Globalsign. – user2284570 Dec 15 '17 at 10:53
  • Sorry for being late to the party, but can you elaborate a bit more on how to create a CSR (for a S/MIME cert) if one already created an OpenPGP key pair, i. e. re-use that pair's public key for the CSR via ? – Yoda Sep 22 '20 at 11:07
  • 1
    @Yoda - That feels like something that's a fairly big step away from the original question, which would benefit from having a question of it's own. – bethlakshmi Sep 22 '20 at 15:56
  • @bethlakshmi I've done so, may I ask you to have a look, please? - https://security.stackexchange.com/questions/238641/create-csr-for-s-mime-certificate-from-existing-openpgp-key-pair/ – Yoda Sep 22 '20 at 21:05
  • Done. Saw it right after I posted here. – bethlakshmi Sep 28 '20 at 20:01
6

Though a CA does not need the private key to issue a certificate, certificates for S/MIME will be used for encryption: once you have an S/MIME certificate, people will send encrypted emails to you, and the emails will remain encrypted in your mailbox.

This implies that losing your private key (e.g. your compute hard disk fails, or your laptop is stolen) entails losing your precious emails. This is a problem. To avoid that, encryption keys should have a backup (key escrow can be viewed as a kind of backup). In that sense, a CA generating the key pair and keeping a copy of the private key can be a very useful service.

Good CA ought to offer you the choice between generating the private key on your side, or on their side. If you generate the private key yourself, and never it to the CA (only the public key, as part of the certificate request), then any kind of backup is, of course, your responsibility.

Default mode of most CA is what is easiest to operate and makes the probability of an irate or distressed customer phoning them as low as possible. Certificate generation process will be mostly Web-based, but the certificate and its private key must in fine be available to the user's mail application, which may be quite disjoint from his Web browser. Sending a PKCS#12 (PFX) archive to the user as a file is a method which works "everywhere" (if a mail application supports S/MIME at all, then it supports importing a PKCS#12 file). Local private key generation, sending a certificate request, obtaining the certificate, and importing it back, restoring the logical link between private key and certificate, is a process which can work, but depends on the specific involved software (OS type, OS version, browser type, browser version, mail application type, mail application version). Many variants mean increased risk of helpdesk calls, which is the major cost in operating a professional CA.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • I need to lodge a complaint against a commercial service. But before doing so, I need to proof I contacted their customer support (they have no physical address and no phone numbers). Jurisprudence only accept e‑mails signed with a s/mime certificate submitted through a regular ᴄꜱʀ. Do you know a certificate authority which offers s/mime certificates [through a regular ᴄꜱʀ](https://henrytodd.org/notes/2013/generating-your-own-keys-with-smime/) (and not even having the private keys generated in browser) ? If I use in browser generated private keys, my contact claims will be challenged in court. – user2284570 Dec 15 '17 at 10:48
  • Sorry for being late to the party, but can you elaborate a bit more on how to create a CSR (for a S/MIME cert) if one already created an OpenPGP key pair, i. e. re-use that pair's public key for the CSR via ? – Yoda Sep 22 '20 at 11:07