What is a private key?
All TLS/SSL certificates need a private key to work. Private key is a separate file which is used in the encryption (or) decryption of data sent between your server and the clients. A private key is created by the certificate requester while generating a Certificate Signing Request (CSR). The certificate authority (CA) issuing your certificate (such as DigiCert/EJBCA) does not create or have the requester’s private key. As a matter of fact, no one outside of your organization should ever be given access to this file. We’ve seen many instances where CAs have had to revoke certificates because the private keys were exposed to the web. Revocation of all corresponding certificates would be required if there is an exposure of private keys.
If you have not yet installed your certificate, then your private key would be located on the computer or server where you generated the key pair and CSR. When a key pair is generated, two files are saved: one that contains the public key and one that contains the private key. Using OpenSSL, you can run the command openssl version –a to find the folder where your key files would be saved (/usr/local/ssl by default). The OS manages your CSRs for you in Windows(IIS).
Advantages of private key encryption
Private key encryption provides various benefits. The top 3 reasons why private key encryption is preferred include:
- Strong security – Private keys that are longer and very random, are more secure from brute-force attacks or dictionary attacks.
- Best for encryption – Most cryptographic processes use private keys to encrypt data transmissions. To securely share secret keys, a public key algorithm is used.
- Works for stream and block ciphers – Secret key ciphers — the algorithm for encrypting and decrypting data — generally fall into one of two categories: stream ciphers or block ciphers. A block cipher applies a private key and algorithm to a block of data simultaneously, whereas a stream cipher applies the key and algorithm one bit at a time.
Challenges in private encryption key management
The security of encryption keys depends on choosing a strong encryption algorithm and maintaining high levels of operational security. Encryption key management is a key factor for any organization using encryption to protect its data. That goes for symmetric, as well as asymmetric encryption.
While private key encryption can ensure a high level of security, the following key management challenges must be considered:
- Overall management – Encryption key management is necessary to protect cryptographic keys from loss, corruption, or unauthorized access.
- Continuous updating – Private keys used to encrypt sensitive data should be changed regularly to minimize exposure should they be leaked or stolen.
- Recoverability and loss – If an encryption key is not accessible then data encrypted with that key can not be recovered.
As the internet population continues to expand for commercial, personal, and government communication, it is essential to use encryption to protect exchanges.
Securing the private keys used to protect the data is the foundation of maintaining security in all types of communication.
How does AppViewX protect the private key?
AppViewX CERT+ can be used as your organization’s primary certification lifecycle management tool. It secures your certificate information with various secure mechanisms. The certificate can be viewed/downloaded only by authorized users based on the permissions setup by the administrator.
Only those that are part of the Certificate Group would be able to access the certificate.
In the snapshot provided below, you will be able to view different certificate groups – “Default”, “Certificate-Gateway” and “test_access”. The administrator can set permissions in such a way that certificates created by Default certificate group users can access only their certificate. The same would be applicable for other certificate groups as well.
Also, all the data stored in the database is stored by a secure mechanism known as break-the-glass utility.
In case of key compromise, AppViewX provides an easy way to revoke and renew the certificate with a new private key.
Let’s say a requestor wants to view only their certificates(which they are authorized for) and download the private keys, that could also be done. At AppViewX, we have an automation utility called Visual Workflow using which we can restrict or control user access. Users can be restricted to access only their certificates and private keys if the necessary details of the users are present in certificate’s metadata when creating the certificates. This way AppViewX can ensure that your certificates and private keys are securely stored.