Clarification as to how the CA system can now be trusted

[CIYAM]

I've read in recent posts regarding the new payment system being integrated into the next version of Bitcoin that we can now trust the CA private keys to be *unknown* to anyone but the cert owner.

As an *owner* of a CA cert where the private key was *not* created by myself (which would be the case for most people unless they are using self-signed certs AFAIA) how exactly does one obtain such a cert (as clearly my own cert now needs to be changed)?

Like most website owners I purchased a cert - and there was no option for me to provide the public key - instead I was given a link to download the private key (so I would be about 99% sure that the NSA has or can get a copy of that key).

[1715355484]

1715355484

[1715355484]

1715355484

[1715355484]

1715355484

[1715355484]

1715355484

[1715355484]

1715355484

[1715355484]

1715355484

[phillipsjk]

My webhost/registrar that has not updated their website since 1999 allows you to generate your own certs.
http://www.reg.ca/certificate.html
Can't find the form off-hand.

Bottom line is that your Certificate Authority should never have the private key for your webserver (unless they are also your webhost). If your CA does not allow you to generate you own Certs for signing, Drop them like a hot potato and black-list them in the web-browser. Then come here and tell us who they are so we can black-list them in our web-browsers.

Edit: maybe I should just go ahead and blacklist the cloudflare CA.

[CIYAM]

Bottom line is that your Certificate Authority should never have the private key for your webserver (unless they are also your webhost). If your CA does not allow you to generate you own Certs for signing, Drop them like a hot potato and black-list them in the web-browser. Then come here and tell us who they are so we can black-list them in our web-browsers.

Cert was from RapidSSL (signed by Geo-Trust) - as stated there was simply *no option* to provide a public key.

It was purchased from my VPS provider (so should I bring this up with them?).

[phillipsjk]

You don't provide a private key. You provide your public key. Your private key is used to prove control over your web-server.

You send the the public key in the generate CSR step:

Enter CSR
 

After generating your server's Certificate Signing Request as described in Generate CSR, paste the CSR in the form below. Please make sure that it contains the complete header and footer "BEGIN" and "END" lines exactly as in the example below.

      SAMPLE ONLY

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDCjCCAnMCAQAwdTEZMBcGA1UEAxMQaG9zdC5kb21haW4ubmFtZTEVM
BMGA1UECxMMT3JnYW5pemF0aW9uMRUwEwYDVQQKEwxPcmdhbml6YXRpb2
4xDTALBgNVBAcTBENpdHkxDjAMBgNVBAgTBVN0YXRlMQswCQYDVQQGEwJ
VUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyZ1dYomQ4jhSr6f
G3GYxjS4B837+y3A6xIM9OVXV4ZnSIe9nOLHgdksQJpwaQeOZwWeqifte
hrJ/s55PvPxok+Tqq0t7BfMkkUSuiYnFdUo1OpDPdw3cEaP9WWSrduouI
Vnq2AWTDw2ykyxKg6neb2vYTZRvbot7M578Vvh6P8CAwEAAaCCAVMwGgY
KKwYBBAGCNw0CAzEMFgo1LjAuMjE5NS4yMDUGCisGAQQBgjcCAQ4xJzAl
MA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATCB/QYKK
wYBBAGCNw0CAjGB7jCB6wIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUg
BTAEEAIABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQB
wAGgAaQBjACAAUAByAG8AdgBpAGQAZQByA4GJACB3C0g9psK0+V+N/Me1
JsG39vonCPQBdOwNp6zHJSPCU3FwQ0SgFpEQNy6HEn79I0CMrU93q9Hh1
TQtd2YU6lWHQunXrIcytmAFVjhibNX6Dp1e41Wjc2N4ilJyy1GFss686c
dZt2GP6y04I74/OvkW2Wf9nezUrMrESM2PP4B1AAAAAAAAAAAwDQYJKoZ
IhvcNAQEFBQADgYEAg4+QHTvkP5CG+WcGnrhKiMkJnMP6QEsds40obUDS
dGtEupQz8C+4xoMd1aM68q9Ri6Va+JTeuhKHxLz9hT/KUJhNBy0sRfnx+
JkQdrKG69UanTwvLqXINh9xChw9ErIto/2kZI5kl2KYQdiOqTv6p0GEUP
Rq/MD52Zy3bOzSRF0=
-----END NEW CERTIFICATE REQUEST-----

Edit: I went through the steps of generating a more expensive wild-card cert.

[CIYAM]

You don't provide a private key. You provide your public key. Your private key is used to prove control over your web-server.

Oops - typo (edited to fix - my bad) - I do understand how key pairs work - but again no choice was offered.

I did wonder about the security of this after I bought it (and the lack of any instructions to use OpenSSL to create a private key).

Am pretty sure I would not be the only one in the same boat (although it was admittedly the first time I've bought a cert - prior to that I just created self-signed certs).

[CIYAM]

Stupid post - I must have deleted some brain cells (I would blame Chinese wine for that) - yes indeed I did create the key pair (your post update instantly reminded me that I went through that step).

Must have not kept any record of it so I ended up confusing myself (all the conspiracy stuff since the PRISM thing has perhaps got me a bit paranoid).

Okay - some trust has now been restored (thanks).

Will lock this topic now.