 |
Naturally this topic stems from current events related to the private key exposure and subsequent mass revocation by Trustico, and of course, we must stress first off that the most secure method of key storage is to generate the private keys on the server and then use the Certificate Signing Request (CSR) when requesting the certificate. If a reseller does generate private keys for any customers outside of the web server environment where the certificate will be hosted, you should stop this practice immediately. Seriously, STOP IT RIGHT NOW! OK. Now that’s out of the way, here’s a quick regurgitation from the previous blog on the best practices and basic methods of cryptographic key storage: No matter how much cybersecurity or end-point security you have in place, if private keys are mismanaged then all security measures have been undermined. Private keys should remain secure and, well…private! Don’t email them, share them, post them, in fact, don’t even breathe on them. Don’t believe me? Just ask Trustico how well that worked out for them. |
