You are applying for a certificate from a certificate authority (CA) to support the secure transmission on the E-Commerce website that serves global customers. Which of the following actions exposes the least risk?
A. Randomly generate an asymmetric key pair on the portal of the CA.
B. Use a utility to create the certificate request on the local workstation
C. Upload the key pair to the CA server for approval and signing
D. Download and install the certificate containing the key pair onto the webserver

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Use a utility to create the certificate request on the local workstation.

Some certificate providers may provide customers a web page that generates the key pair. However, it’s not a good idea because the certificate providers may record or escrow your private key. You shall keep your private key secret. So, use local utilities to generate the key pair, such as OpenSSL, ssh_keygen, IIS manager, the certificate snap-in for MMC (Microsoft Management Console).

Only the certificate signing request, which contains the public key (not the key pair), is sent to the CA (or the registration authority specifically) because the key pair contains the private key.

A certificate comprises the public key only, even though you can package the private key with the certificate into a file. For example, “PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.” (Wikipedia)

Certificate Signing Request (CSR)

In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a registration authority of the public key infrastructure in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature).

Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate) which must be signed using the applicant’s private key. The CSR also contains the public key chosen by the applicant. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.

Source: Wikipedia

X.509 Certificate

Reference

• Certificate signing request
• PKCS 12

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您正在向憑證頒發機構(CA)申請憑證(certificate)，以支持為全球客戶服務的電子商務網站上的安全傳輸。 以下哪項操作暴露的風險最小？
A. 在CA的入口網站上以隨機的方式產生一個非對稱金鑰對(key pair)。
B. 使用本機工作站的工具程式(utility)來建立憑證請求(certificate request)。
C. 將金鑰對上傳到CA服務器以進行批准和簽名(signing)。
D. 將包含金鑰對的憑證下載並安裝到Web服務器上。