Keep your private key secure. Whatever type of digital certificate you have, your responsibility is to keep the private key absolutely secure. If an unauthorized person gains access to your private key, they can assume the identity that your certificate is intended to protect (e.g. you, your company, and/or your website).
Sometimes, despite your best efforts, your private key may become compromised. A private key is said to be compromised if its value has been disclosed to an unauthorized person or an unauthorized person has had access to it. While it can be very difficult to know that a private key has been acquired by bad actors, if you identify a breach in your security, it’s better to err on the side of safety and suspect that your key may have been compromised.
If your private key is ever compromised, it should be considered an emergency, and your priority should be resolving the issue immediately. This article will help you be able to recognize the signs of a compromised key, and what steps to take to re-establish security and assurance.
If your key has been compromised or you suspect it has been compromised, you can and should submit a revocation request to your CA. If your certificate was issued through SSL.com, you can submit your revocation request here.
If you have evidence of a security breach, can prove that the certificate request was not authorized, or the CA finds that the validation of domain control cannot be trusted, the certificate must be revoked within 24 hours.
For most other reasons, primarily user error, the CA may have up to 5 days to revoke.
The CA/Browser Forum baseline requirements specify 15 reasons why a key may need to be revoked. You can read all 15 here, but they can be summarized as:
– A security incident occurs (or is believed to have occurred) on your server (or any other computer where the private key is used or stored).
– A staff member with access to your private key leaves.
The private key file is deleted, destroyed or lost.
– There was an error in generating the key pair.
A security breach is a good time to update your security practices, and to report your key compromised. Again, it’s better to err on the side of caution when it comes to your certificate safety. If your key has been compromised or you suspect it has been, submit a revocation request to your CA immediately.
Losing your private key is not necessarily a reason to submit a revocation request, depending on how you lost it. If, for example, you accidentally deleted the file and there is no backup, you don’t need to file a revocation request. Instead, you can contact your CA to have the certificate reissued. SSL.com can issue a new certificate from a new key pair you generate.
If, however, you lost it in a way that it could very likely fall into someone else’s hands, such as a hard drive being stolen or misplaced, you’ll likely want to take action to have the certificate revoked.
Not every situation requires submitting a revocation. Instead, you can use SSL.com’s SSL Manager Tool (available to Windows users) to streamline the re-keying process, which will require generating a new CSR (using the same information on your original request). You can also re-key using the SSL.com web portal or via API.
Re-keying your certificate on a regular basis is generally a good security practice. Think of it in the same light as updating a password on your computer, it’s another way to stay ahead of the bad guys.
To keep your private key safe, you should always know where it is. If you don’t know where it is, check out this FAQ.
Most compromised keys are due to user error or general security breaches. Keeping good technological hygiene by updating passwords regularly, re-keying your certificate as your staff filters in and out, and other good practices are solid ways to keep your private key secure and to maintain the assurance you’re looking for.