When a public/private key pair is generated, the key must be generated from a good source of randomness and should normally be generated by the end entity that will use it.

Where a private key has to be generated away from the end entity, then it must be encrypted in transit and at rest. Access to the key must be monitored, authenticated and authorised, see principle 3, develop a robust certificate registration procedure.

Once a private key has been generated, it must be protected so that it can only be used by the identity it represents. The private portion should always be kept secure, while the public portion can be distributed to other users in the system. If the private key came into the hands of an attacker, they could use it impersonate a user and gain access to a system.

Why shared private keys are vulnerable:

Shared private keys open up the possibility for stolen keys, and stolen keys can mean signed software with vulnerabilities or malware being distributed with your company’s name on it. It’s like the key to your front door: you want to make sure it is protected and only with people you trust at all times. Shared private keys can get lost or stolen in transit or abused. Plus, there is no way to track who signed what and when if everyone has a local copy of the same signing key.

If you would like to share your private key with Infigo, or you would like us to send you the private key we generate, then we must have written consent on the support ticket accepting you're invalidating the SSLs security and accept all risks.