Secure in-memory CSR Generation in browser. 100% Offline
For a Certificate Authority to issue you a certificate you must provide them with the information that you believe belongs in that certificate request. The most important piece of information being the public key that your server will use to identify itself. The Certificate Request (sometimes called a CSR or PKCS10) is how you provide that public key and prove you have the corresponding private key. To help identify which server a certificate request is for it can also include additional information such as the fully qualified host name of the server or the name of the legal entity who possesses the associated private key.
Each application stores its certificates and private keys in different ways, meaning that you often need to use a different tool to generate the certificate request for each application. Although it is not normally required, the easiest way to do this is to generate the certificate request on the server you will use the certificate on. This page helps you to generate the appropriate command line for each of your applications. Simply fill out the required fields above and it will provide you with example command lines for common applications. If your application is not listed, check the help documentation from your Certificate Authority or the application documentation for guidance on how to generate the certificate signing request.
ECC works on different principles than RSA. This different approach results in a dramatic performance improvement. With ECDSA you get as much as a 23x performance improvement for signatures. This can help your site handle more concurrent SSL negotiations but it comes at a cost. Only modern browsers support ECC cipher suites, as a result many choose to stay with RSA or to deploy both. It is important to note that not all certificate authorities (CAs) support issuing ECC certificates, as such, this decision may impact which CA you choose.
Generally speaking the larger the private key the stronger it is. Unfortunately the larger it is the slower the cryptographic operations with that key will be. Though techniques for cryptanalysis are always improving, at this time, the general consensus is that RSA 2048-bit and ECC 256-bit keys are sufficiently strong for most use cases.
There are a few things you need to keep in mind when thinking about the security of your private key:
- Are you using the latest version of the certificate request tool? There have been vulnerabilities in the way private keys are generated. Making sure you are using the most recent version helps ensure you are not using a known vulnerable key generation process.
- Does the environment you are generating the certificate request in have a good source of random numbers? The security of the key generation process is very dependent on the quality of the random numbers available to the application generating the key. For example, if the certificate request is being generated in a embedded system it may produce predictable random numbers. If you are not confident about the quality of the random numbers your device uses, generate your certificate request on a different machine
- Who has access to the private key? Anyone who gets a copy of your private key will be able to impersonate your server. You want to ensure you password protect and/or use ACLs to reduce who can have access to the private key.
Take a look at the Mozilla SSL Configuration Generator and Cipherli.st for configuration recomendations. They provide reasonable choices for secure SSL configurations.
When you are done be sure to check your score at SSL Labs. When checking your SSL score pay close attention to client compatibility and adjust settings accordingly.
Absolutely, there are a number of HTTP headers a server can send that can help the browser enforce appropriate security controls. Check out the Security Headers
We recomend you take a look at Report URI, it can help you keep an eye on your deployment of Content Security Policy (CSP) and Public Key Pinning (HPKP).
There are several organizations that offer free Domain Validated (DV) SSL certificates. One that we are involved in is Let’s Encrypt.
For Extended Validation (EV) certificates, the best experience in our opinion is offered by CertSimple.
Additionally there are a number of responsible commercial certificate authorities such as GlobalSign and DigiCert that offer a complete product portfolio of certificate related offerings.
Modern browsers support a set of APIs commonly referred to as WebCrypto. These APIs allows us to generate the keys for your certificate within your browser. We then use a library we produce called PKIjs to generate your certificate request. We never see your key and we generate a new key pair for every certificate request you make. If for some reason your browser doesn’t support WebCrypto or an algorithm we need to generate the request we simply omit this option from the results.
This site is hosted on GitHub and we use CloudFlare as a CDN. All of the resources (scripts, fonts, layout) used in the site are served using gh-pages. Because these organizations are involved they could theoretically modify the page to take a copy of the private key generated here. You can also clone this repository with this command:
git clone https://github.com/PeculiarVentures/csrhelp.git
Which will let you run this site locally and not be exposed to this risk.