This is my first time dealing with SSL, so please bear with me if parts of this question sound uninformed.
I am concerned about the security of the RSA Private Key provided by the webhost when I entered my CSR request. I don’t fully understand what this is, but I thought from what the SSL vendor said it’s a very private piece of information that could be used to compromise a site’s security if it fell into the wrong hands. Because of this, I was quite concerned that the host would send it via email in the clear. However, when I asked the host about it, they said that the key is “encrypted” and that a bad guy could NOT potentially use it to wreak any havoc on my site. I also found this old thread on another forum which seems to indicate that the RSA key is sensitive and shouldn’t be sent via email.
Could someone shed some light on this topic for me? Thanks!
CSR request does not contain your private key, it only contains your public key along with fields and parameters, that you wish to be included in certificate.
When I made my CSR request, the host sent me an email with TWO keys in it, like so:
-----BEGIN RSA PRIVATE KEY-----
[a really long encrypted key]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
[another really long encrypted key]
-----END CERTIFICATE REQUEST-----
I’m not under the impression that the private key is part of the CSR, only that something called an RSA private key is being sent to me via email in the clear. If the RSA private key is really not a sensitive piece of information as the host indicates, I’m not concerned. If, on the other hand, it’s a potential hacker passkey, I’m kinda worried about it flying aroudn on a cyber-postcard. Unfortunately, I just don’t know enough about SSL to know if this is the case or not.
Sorry for not answering for so long.
RSA private key is very sensitive piece of information.
In that case it really depends if the private key was encrypted or not.
Did it have two “header rows” like:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,9B605BB7C965F78CB74AAEB159A609FD
...
-----END RSA PRIVATE KEY-----
or it was plain:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
In first case the private key is encrypted with passphrase and if that passphrase is complex enough and if it is sent to you by other means than e-mail (certainly not the same e-mail that the key is sent by), then that is acceptable practice. Otherwise it is unacceptable practice.
Thanks Aleksejs for the information. The server admin says it doesn’t really bother him to send the RSA private key through email, but they are willing to accommodate some other method if desired. Of course that means I will have to get the cert reissued with a new CSR, but I will probably do it anyway just to stay completely secure.
Just to conclude this story properly…
Kudos goes out to my host, Hostgator, which was most accommodating despite the fact that they don’t really see this as an issue. They worked with me to regenerate the CSR and deliver the RSA private key through a secure medium, then reinstalled the new one after my SSL provider, RapidSSL, reissued at no charge.
I feel better now. 