Where is your private key? If you aren’t sure, we explain how you can keep it safe, locate it when needed, or create a new one below.
Keeping Your Private Key Safe
Certificate Authorities (CAs) don’t have access to your private key—nor should they—because private keys are generated on the user level and on your server or appliance. The cryptographic security of a private key comes from the size and random sequence of the prime numbers used in its creation. Essentially, a private key is a file with a generated random set of numbers. Keeping this information private is essential for your key to remain secure during the lifetime of the certificate.
To ensure the security of your private key, you should limit access to members of your organization who absolutely need to have control over it. It is a best practice to change your private key (and re-key any associated certificates) if a member of your team who had access to the private key leaves your organization.
Locating Your Private Key
If you are using Windows, then your private key is stored in a hidden folder. The DigiCert Utility is a free tool you can use on Windows machines to locate a private key for a certificate by importing a certificate file into the Utility. If no valid private key is found, you can also use the DigiCert Utility to re-key your certificate.
If you are using OpenSSL to manage your private keys (e.g., on a Debian or Red Hat-based Linux distro), then the OpenSSL ‘req’ command will typically save the private key in the same directory as the OpenSSL command was run. Our OpenSSL CSR creation utility combines the separate commands for generating the private key and a Certificate Signing Request (CSR) from that private key into a single line, so they both happen at once.
Other appliances and servers have varying methods of storing and creating private keys. In many cases, the location of the private key on the server may be entirely obfuscated. Reading documentation for your appliance is the best way to find specifics regarding how and where your appliance is storing its private keys.
Creating a New Private Key
If you’re not able to find your private key or you haven’t created one yet, you’ll need to do so before a certificate can be issued. Generally, you’ll want to create the private key on the server where you are planning on installing the certificate.
You will need to create the private key before generating the CSR. Some software combines these steps and allows you to complete them quickly. A CA “signs” the CSR to issue a certificate and this is why you might seem like professionals only talk about creating the CSR creation instead of the private key.
SSL Certificate vendors should maintain up-to-date documentation on the exact process for generating the private key and CSR. DigiCert also has a large library of guides available here, where you can find help with the process of private key and CSR generation.