Free Trial
Contact Us

Knowledge Base

Knowledge BaseAll

Private Key overview and Protection Process

Updated on September 26, 2024

Purpose

This document provides essential guidelines for anyone using certificates to protect their private key. Private keys are critical for securing digital communications, ensuring authentication, confidentiality, and the integrity of information. Safeguarding your private key is vital to prevent unauthorized access, data breaches, or identity forgery.
The document outlines how to store, protect, and respond if your private key is compromised. By following these best practices, users can maintain the security and reliability of their digital certificates, whether they are used for SSL, Code signing, or SMIME purposes.

2. Private Key overview

2.1. Introduction to Digital Certificates

Digital certificates, based on Public Key Infrastructure (PKI), are essential for securing internet communications and transactions. PKI ensures security by offering:

  • Identification/Authentication: Verifying that the communicating party is who they claim to be.
  • Confidentiality: Ensuring information is only accessible to the intended recipient.
  • Integrity: Protecting information from tampering.
  • Non-repudiation: Ensuring neither the sender nor the receiver can deny their involvement in communication.
  • Access Control: Limiting access to information to authorized individuals only.
2.2. What is PKI?
PKI consists of technical mechanisms and policies to secure communications. It enables people and businesses to engage in secure, legally binding online activities, such as email exchanges and transactions, through encryption using public and private key pairs.
  • Encryption & Decryption: Data is encrypted using a public key and can only be decrypted with its corresponding private key. This ensures that sensitive information remains confidential, even if intercepted by unauthorized parties.
2.3. Public & Private Keys
Public and private keys are cryptographically linked, with the public key available to everyone and the private key kept confidential. The private key decrypts data that was encrypted using the public key, ensuring only the private key holder can access sensitive information.


2.4. Private Key Creation
During the certificate enrollment process, two keys are generated: a public key (published within your certificate) and a private key (stored on the server where the CSR was created).
2.5. Why Protect Your Private Key?
Your private key secures your digital identity and communications. If compromised, someone can impersonate you, forge your signature, and access sensitive data or systems.
Your private key must remain confidential at all times.

3. Private Key Storage and Protection

3.1. Where is the Private Key Stored?

Your private key is stored in encrypted format on either:

  • Your computer’s hard drive.
  • A smart card or USB-token.
3.2. How is the Private Key Protected?
Protection is ensured by:
  • Passwords: When generating your private key, you must create a strong password to prevent unauthorized access.
  • Access Controls: Physically securing your computer and smart card/USB-token and ensuring unauthorized individuals cannot access them.
3.3. Guidelines for Protecting Your Private Key
  • Never leave your PC or smart card/USB-token unlocked or unattended, even for a few moments.
  • Do not share your private keys with anyone.

3.4. What to Do If Your Private Key is Compromised?
If your private key is compromised and your certificate is signed by a certificate authority, notify your certificate authority and have certificates that use this key revoked. This can often be done self-service with your certificate-management tools but contact your CA for more details. This action will inform the appropriate audience that the private key is compromised, and the public key has been revoked.
Such exposure could potentially allow threat actors to access sensitive user information and manipulate website functionality
Immediate action is critical to revoke the compromised key and issue a replacement.


4. Consequences of Sharing or Exposing a Private Key
  • Certificate Revocation:
    • If your private key is shared with anyone, you must revoke or reissue your certificate immediately.
    • If Sectigo (as a Certification Authority) investigates and finds that you shared your private key or that it was somehow compromised, all certificates associated with the key will be revoked within 24 hours. This process is automatic once we discover a compromised or shared key – for example, if a key is entered into a CSR decoder, or if the key was weakly generated by vulnerable software.

 

Need help?

Need help making a purchase? Contact us today to get your certificate issued right away.

Live chat

Click the button below or click "Chat with an Expert" to start chatting with us now!

Start Chat

Call us today

United States
+1 888 266 6361
France
+33 3 66 72 95 95
Italy
+39 02 4792 1708
Spain
+34 900 838 451
Germany
+49 800 1002328
International
+1 914 732 844

Resources