Confirm, administrator
5,526
edits
Changes
→Distributing generated private keys in PKCS#12 files
* The user doesn't know or control who else possesses and can use his private key (decrypt his private messages or forge his signature), and
* The distribution channels used (e.g. unencrypted email) may not be adequately secured.
Note: CAs must never generate the key pairs for for signer or SSL certificates. CAs may only generate the key pairs for SMIME encryption certificates. Distribution or transfer of certificates in PKCS#12 form through unsecure electronic channels is not allowed. If a PKCS#12 file is distributed via a physical data storage device, then
* The storage must be packaged in a way that the opening of the package causes irrecoverable physical damage. (security seal, ...)
* The PKCS#12 file must have a sufficiently secure password, and the password must not be transferred together with the storage.
=== Certificates referencing hostnames or private IP addresses ===
