- Connor Wilson
- May 18, 2020
Keep your private key secure. Whatever type of digital certificate you have, your responsibility is to keep the private key absolutely secure. If an unauthorized person gains access to your private key, they can assume the identity that your certificate is intended to protect (e.g. you, your company, and/or your website).
Sometimes, despite your best efforts, your private key may become compromised. A private key is said to be compromised if its value has been disclosed to an unauthorized person or an unauthorized person has had access to it. While it can be very difficult to know that a private key has been acquired by bad actors, if you identify a breach in your security, it’s better to err on the side of safety and suspect that your key may have been compromised.
If your private key is ever compromised, it should be considered an emergency, and your priority should be resolving the issue immediately. This article will help you be able to recognize the signs of a compromised key, and what steps to take to re-establish security and assurance.
Go to top
How do I revoke a certificate?
If your key has been compromised or you suspect it has been compromised, you can and should submit a revocation request to your CA. If your certificate was issued through SSL.com, you can submit your revocation request here.
If you have evidence of a security breach, can prove that the certificate request was not authorized, or the CA finds that the validation of domain control cannot be trusted, the certificate must be revoked within 24 hours.
For most other reasons, primarily user error, the CA may have up to 5 days to revoke.
When must a key be revoked?
The CA/Browser Forum baseline requirements specify 15 reasons why a key may need to be revoked. You can read all 15 here, but they can be summarized as:
• A security incident occurs (or is believed to have occurred) on your server (or any other computer where the private key is used or stored).
• A staff member with access to your private key leaves.
• The private key file is deleted, destroyed or lost.
• There was an error in generating the key pair.
A security breach is a good time to update your security practices, and to report your key compromised. Again, it’s better to err on the side of caution when it comes to your certificate safety. If your key has been compromised or you suspect it has been, submit a revocation request to your CA immediately.
What if I’ve lost my private key?
Losing your private key is not necessarily a reason to submit a revocation request, depending on how you lost it. If, for example, you accidentally deleted the file and there is no backup, you don’t need to file a revocation request. Instead, you can contact your CA to have the certificate reissued. SSL.com can issue a new certificate from a new key pair you generate.
If, however, you lost it in a way that it could very likely fall into someone else’s hands, such as a hard drive being stolen or misplaced, you’ll likely want to take action to have the certificate revoked.
Is re-keying my certificate the same as revoking it?
Not every situation requires submitting a revocation. Instead, you can use SSL.com’s SSL Manager Tool (available to Windows users) to streamline the re-keying process, which will require generating a new CSR (using the same information on your original request). You can also re-key using the SSL.com web portal or via API.
Re-keying your certificate on a regular basis is generally a good security practice. Think of it in the same light as updating a password on your computer, it’s another way to stay ahead of the bad guys.
How do I keep my private key safe?
To keep your private key safe, you should always know where it is. If you don’t know where it is, check out this FAQ.
Most compromised keys are due to user error or general security breaches. Keeping good technological hygiene by updating passwords regularly, re-keying your certificate as your staff filters in and out, and other good practices are solid ways to keep your private key secure and to maintain the assurance you’re looking for.
Connor Wilson
Subscribe to SSL.com’s Newsletter
Don’t miss new articles and updates from SSL.com
As a seasoned expert in digital security and cryptographic protocols, I bring a wealth of experience and knowledge to the table. My expertise extends to the intricate world of digital certificates, private key management, and the critical aspects of safeguarding sensitive information online. Allow me to delve into the concepts presented in the provided article and shed light on the crucial elements discussed.
The article emphasizes the paramount importance of keeping one's private key secure. I fully endorse this perspective, as the private key is the linchpin of digital certificates and serves as the bedrock of identity verification in online communication. Any compromise to this key could lead to dire consequences, allowing unauthorized individuals to assume the protected identity, whether it be an individual, a company, or a website.
The concept of a compromised private key is central to the article. A compromised private key occurs when its value is disclosed to unauthorized parties or when unauthorized access is gained. Recognizing signs of compromise is challenging, but swift action is imperative in such scenarios. The article rightly considers a compromised key an emergency, underscoring the urgency of resolving the issue promptly to maintain security and assurance.
The article introduces the process of revoking a certificate, highlighting that a revocation request should be submitted to the Certificate Authority (CA) in case of a compromised key. This aligns with industry standards, as prompt revocation is crucial to prevent misuse of compromised certificates. The provided information even includes a link for users who obtained their certificate through SSL.com, facilitating a seamless revocation process.
Further, the article outlines the circ*mstances under which a key must be revoked, citing 15 reasons specified by the CA/Browser Forum baseline requirements. This comprehensive approach underscores the multifaceted nature of security incidents and the need for a swift response to diverse threats, ranging from security breaches to staff changes or errors in key pair generation.
The article also addresses the scenario of losing a private key, differentiating between situations where revocation is necessary and those where certificate reissuance suffices. This nuanced approach reflects a deep understanding of the intricacies involved in managing digital certificates.
An intriguing concept introduced in the article is the distinction between re-keying and revoking a certificate. Not every situation demands revocation; instead, the article suggests using SSL.com's SSL Manager Tool for efficient re-keying, promoting the idea that regular re-keying is a proactive security practice akin to updating passwords.
Lastly, the article underscores the importance of maintaining good technological hygiene to keep private keys secure. It advocates for practices such as regular password updates and certificate re-keying as solid methods to prevent user errors and security breaches that often lead to compromised keys.
In conclusion, the provided article offers a comprehensive guide to managing digital certificates and private keys, demonstrating a profound understanding of the nuances involved in maintaining robust online security practices.
