As a hosting provider, I'd like to make the process of generating a certificate for a customer's domain as convenient as possible.
I was pondering creating a webpage where anyone could:
- generate a CSR for a given hostname from our private key
- take that CSR away and return to us with a certificate
Is there any danger in allowing anyone to generate potentially thousands of CSRs based off our private key?
Addressing some concerns/questions:
I think the real danger here is re-using the same private key for a lot of domains.
Is it really any different (from a security point of view, not management) than having a single certificate with many SANs? For instance, the certificate presented by our Cloudflare CDN has these SANs:
DNS:ssl2917.cloudflare.com, DNS:*.app.com.pk, DNS:*.boldstatementmarketing.com, DNS:*.lacasadivetro.com, DNS:forospyware.com, DNS:*.reportcrowd.com, DNS:*.vladtv.com, DNS:*.1bse.com, DNS:*.discourse.org, DNS:*.forospyware.com, DNS:*.gossipbrigade.com, DNS:*.gsmcodigos.com, DNS:*.is.gl, DNS:*.madepal.co, DNS:*.mejorando.la, DNS:*.oceanvillageresort.com, DNS:*.pinside.com, DNS:*.ratelossprogram.com, DNS:*.soopermexican.com, DNS:*.tequierocali.org, DNS:1bse.com, DNS:app.com.pk, DNS:boldstatementmarketing.com, DNS:discourse.org, DNS:gossipbrigade.com, DNS:gsmcodigos.com, DNS:is.gl, DNS:lacasadivetro.com, DNS:madepal.co, DNS:mejorando.la, DNS:oceanvillageresort.com, DNS:pinside.com, DNS:ratelossprogram.com, DNS:reportcrowd.com, DNS:soopermexican.com, DNS:tequierocali.org, DNS:vladtv.com
Is there are realistic scenario in which you would have reason to believe the key of one site has leaked, while the keys of the other sites remain secure.
Not really. Should a customer using one of these keys request to move his site we wouldn't hand out the key.
You should be generating a new private key for each CSR you generate.
Right, we should. This is a case of trading off convenience (on our end) for security. For banking, hell no. Forum sites? Possibly worth it.
What you really need to think about in your setup is integrity of the CSR. The customers need to be absolutely certain, that the public key in the CSR they have signed is indeed the correct public key.
Come to think of it, the best option here is probably to forego the requirement of generating a CSR… we could just hand out a single CSR to everyone and have them sign it with the hostname they prefer (similar to what startssl does - when signing the CSR they throw away the requested hostname and use what you enter on their webpage.
I don't know if all (any?) CAs will do that, but it's an option.