Confirm, administrator
5,526
edits
Changes
m
Note: CAs must never generate the key pairs for for signer or SSL certificates. CAs may only generate the key pairs for SMIME encryption certificates. Distribution or transfer of certificates in PKCS#12 form through unsecure electronic channels is not allowed. If a PKCS#12 file is distributed via a physical data storage device, then
→Distributing generated private keys in PKCS#12 files
* The distribution channels used (e.g. unencrypted email) may not be adequately secured.
* The storage must be packaged in a way that the opening of the package causes irrecoverable physical damage. (security seal, ...)
* The PKCS#12 file must have a sufficiently secure password, and the password must not be transferred together with the storage.
