Your private key is the most important component of your SSL certificate. It’s what gives you the power to authenticate your website to internet users, helps to enable encryption and prevents others from impersonating you.
You should avoid letting your private key become compromised above all else. If you lose or have your key compromised, it will end up costing you greatly, at worst, someone could impersonate your website and cost you money.
Generating a Private Key
Your private key will be generated alongside your CSR as a “Key Pair.” Depending on where you’re performing the generation process, you may need to paste the output into a text editor and name the file. Then you will upload it to your server. Make sure that you have security in place where you’re storing it. Best practice for security is to save it on an external hardware token and put it in a safeguarded storage unit.
Note: At no point in the SSL process does The SSL Store or the Certificate Authority have your private key. It should be saved safely on the server you generated it on. Do not send your private key to anyone, as that can compromise the security of your certificate. If you lose your private key, you will be unable to install your SSL certificate and will need to generate a new key pair (CSR + Private Key) and re-issue the certificate.
What happens if my Private Key is compromised?
If it’s compromised, but not misused, you’ll have to replace your SSL certificate. If your private key is misused, someone can spoof your website and phish your customers with impunity.
How does a Private Key work with SSL?
During the handshake process, the private key and its public counterpart are used for authentication. A user’s web browser will use the public key to decrypt the digital signature left by the private key. If it’s readable, the signature is authenticated and secure connection can be negotiated.
How does a Private Key work for Code Signing?
Similar to SSL, the private key is used to apply the digital signature to the software, when someone downloads it, their browser uses the public key to decrypt the signature and authenticate the publisher.