=== Distributing Generated Private Keys in PKCS#12 Files ===
It is reported that some CAs generate the key pairs for their subscribers,rather than having the subscribers generate their own key pairs, and once generated, those CAs distribute the private key, together with the issued public key certificate and its chain, to the subscriber in a PKCS#12 fileSection 5. The issues include2 of [https: * The user doesn't know or control who else possesses and can use his private key (decrypt his private messages or forge his signature), and * The distribution channels used (e//www.gmozilla. unencrypted email) may not be adequately secured. org/en-US/about/governance/policies/security-group/certs/policy#52-forbidden-and-required-practices Mozilla's Root Store Policy] states: "CAs must never MUST NOT generate the key pairs for signer or SSL end-entity certificates. CAs may only generate that have an EKU extension containing the key pairs for SMIME certificates. Distribution KeyPurposeIds id-kp-serverAuth or transfer of certificates in PKCS#12 form through unsecure electronic channels is not allowedanyExtendedKeyUsage. If a PKCS#12 file is distributed via a physical data storage device, then:"
CAs must never generate the key pairs for signer or SSL certificates. CAs may only generate the key pairs for S/MIME certificates. Distribution or transfer of certificates in PKCS#12 form through unsecure electronic channels is not allowed. If a PKCS#12 file is distributed via a physical data storage device, then:
* The storage must be packaged in a way that the opening of the package causes irrecoverable physical damage. (e.g. a security seal)
* The PKCS#12 file must have a sufficiently secure password, and the password must not be transferred together with the storage.
