3

My question is if the CA can generate a private/public keypair on behalf of the requestor and sign it with its own private key?

Is there any standard way or protocol to distribute such a certificate?

I know that the p12 format is used to store private key as well as the public certificate and this file is password protected. Is this a common practice of a CA to offer this service?

toni77
  • 179
  • 1
  • 8

2 Answers2

4

A server can use a self-signed certificate to identify itself. Clients then have to trust this certificate when they connect or use the server's service.

In PKI infrastructure you normally don't have the CA generate the key-pair unless its the root certificate. Clients and intermediate CAs will generate their own key-pair and use the CSR to have the root certificate sign it. A CA doesn't generate certificates itself because then how can you trust that the CA hasn't kept the private key for itself. This breaks down the PKI infrastructure.

CAs like Symantec/Verisign or GoDaddy generally don't offer services to generate the key-pair for you. Due to reasons in the previous paragraph. You send them a CSR with the information for your certificate to be signed.

See my answer here for more details.

Community
  • 1
RoraΖ
  • 12,317
  • 4
  • 51
  • 83
  • 2
    I disagree. CAs -in addition of accepting CSRs- do offer to generate the key pair for you, in order to make the process more user-friendly. They claim not to keep the key afterwards, but it is still preferable to simply generate the private key locally, so the CA never even sees it. – Ángel Feb 11 '15 at 18:06
2

Generally there are two types of Key Generation available as offline and online generation.

Offline Generation is like CA will create the key pairs and issue certificate to the other party by means of trustworthy between them as means of generation and issuance. And also in some cases , the endusers or subscribers will not aware of what is CSR and key pairs , in this case the CA needs to provide a user friendly mechanism to get the certificate.

Online Generation is like you do get the certificate from trusted third party by providing the CSR as input. Here the user is well aware of security tools.

Note: In the offline cases, your private key is with CA. either he can miss use that for any time for being situation. And also by genuine reason some stolen your private key and misused, you need to untrustworthy of your CA. So its better to avoid the key generation from CA side.

Even most of the PKI infrastructure provide the flexible of generating the key pair in the browsers even the endusers or subscriber will not aware of it just by clicking the OK button.

user45475
  • 1,030
  • 2
  • 9
  • 14