GlobalSign Blog

29 May 2014

AutoCSR demystified

Technologies for CA-initiated key generation are regularly put in the spotlight and commonly misunderstood. So what’s the truth behind AutoCSR methods and how should Certificate Authorities (CA) maintain the security of your private key?

The benefits

Traditionally, when applying for a digital certificate, customers have to provide a Certificate Signing Request (CSR). A CSR is a data file which contains the public key that a server will use to identify itself, and is generated together with the corresponding private key.  There is a variety of choices when it comes to the algorithm or key length used to create the key pair. As such, key generation is a process which requires a degree of cryptographic expertise to ensure compliance.

CSR generation remains one of the consistent problem areas faced by customers wishing to secure their server. The requirement for Certificate Authorities to carry out the key generation is a direct result of a history of ‘bad’ keys being used by customers or insecure processes in maintaining keys (such as leaving keys available in browser key stores).

With this in mind, services such as GlobalSign’s optional AutoCSR feature bring tremendous value in ensuring best practice implementation across the board, as well as reducing complexity.

CSR

The AutoCSR option on the GlobalSign platform

What are the security considerations?

This often raises the question – As private keys should remain just that, how do CAs preserve the security of the private key throughout the process?

The security resides in the implementation of the feature. Certificate Authorities follow exceptionally strict and secure procedures which ensure the highest level of integrity when performing key generation and subsequent key handling.

The most important element is the quality of the random numbers used in the generation of the key pair. There are many factors that can impact the quality of the random numbers used, such as the design of the software generating them, as well as the hardware the software runs on. Users don’t always have control over these aspects so leaving it to the Certificate Authority can provide undeniable benefits.

In the case of GlobalSign’s AutoCSR option, FIPS 140 Level 3 cryptographic hardware is utilized to generate your key pair and certificate request so you can rest assured that the quality of the keys is optimal.

It is also essential for the keys to be protected when in transit. GlobalSign uses high password protection for PFX files. As password length and complexity are critical components, users can enter as many as 50 characters for their passwords, and the system appends another eight random characters. This results in a long password with system-introduced randomness.

At the end of the process, instances of keys can be deleted (zeroized), so they don’t remain stored on our system, providing high levels of security from start to finish.

Is AutoCSR right for me?

GlobalSign offers all the advice necessary to generate keys with methods that best suit the customers and their individual applications. Customers can make use of the AutoCSR option, or they can choose to generate their own key pair and subsequently submit a CSR. We also provide a free CSR tool to simplify the process. Check it out at https://csrhelp.globalsign.com/ or talk to us for more information!

Share this Post

Subscribe to our Blog