System status | SwissSign
A data security specialist by Swiss Post

Main section

21.09.2018

Changes to Key Generation Methods for SSL Certificates

Dear customer,

We would like to inform you that due to changes in the Mozilla Root Store Policy version 2.6, it is no longer permitted for a Certificate Authority (CA) to generate private keys for SSL certificates. Up until now, it was possible for a Certificate Authority to generate private keys for new SSL certificates. From now on, private keys and Certificate Signing Requests (CSR) must be created by the customer/requester themselves. You can use the OpenSSL toolkit as an option to generate the required files. To do so, please follow the steps below:

  • Log on to your server and enter the following command at the prompt: openssl req -out request.csr -new -newkey rsa:2048 -keyout privatekey.key
  • Replace "rsa:2048" with "rsa:4096" in the command above to create a Private Key with a key length of 4096 bits.
  • Enter the password that protects the private key.
  • You will be prompted to answer a series of questions. You can fill in or leave the fields empty. When submitting the request to the SwissSign GUI, you will be able to overwrite these fields. A "Challenge Password" is not required for SwissSign.
  • The files privatekey.key and request.csr will now have been created. The privatekey.key file should be kept private on your server and never disclosed to third parties. The request.csr file is your Certificate Signing Request, and can now be submitted as the raw text in the PKCS#10 field on the SwissSign GUI.

Should you have any further questions, please do not hesitate to contact us by e-mail at [email protected].

Kind regards
Your SwissSign team