You are here: Australia Home > Repository > SSL FAQs

VeriSign® SSL FAQs


Protect Your Digital Certificate


Protect Your Private Key


Digital Certificates make use of a technology called Public Key Cryptography. During the initial enrolment process for obtaining a Digital ID, your computer creates two keys: one public, which is published within your certificate and posted within VeriSign Australia's repository, and one private, which is stored on your computer. VeriSign Australia does not have access to your private key. It is generated locally on your computer and is never transmitted to VeriSign. The integrity of your certificate (your "digital identification"; "Digital ID") depends on your private key being controlled exclusively by you. IT IS YOUR RESPONSIBILITY TO PROTECT YOUR PRIVATE KEY. ANYONE WHO OBTAINS YOUR PRIVATE KEY CAN FORGE YOUR DIGITAL SIGNATURE AND TAKE ACTIONS IN YOUR NAME! (See CPS § 4.1.1).

How is my private key protected?

How should I protect my private key?

What is a "good" password?

I use Netscape 3.X, where do I enter the password that protects my private key?

I use Microsoft Explorer 3.X. Why didn't it ask me for a password when I generated my key?

I saw a form on a Web page that asked for my Netscape (private key) password. Why do they need it?

Where does my computer store my private key?

I need to use my Digital ID at home and at work. Can I safely move my private key and Digital ID from one computer to another?

Can I change my private key password without getting a new certificate?

I forgot my private key password, can someone change it for me?

No one can help me if I forgot my password. That doesn't sound very friendly. Why?

Someone stole my computer. Do they have my certificate's private key now?

Someone stole my computer and I elected to NOT password-protect my certificate's private key. What do I do now?

I rely on my Digital ID for very confidential communications. Is there any way I can further protect my private key?




Q: How is my private key protected?

A: Your private key is protected in two ways:

  1. It is stored on your computer's hard drive so you can control access to it.
  2. When you generate your private key, the software you use (such as your browser) will probably asked you for a password. This password protects access to your private key. For Microsoft Explorer™ users, your private key is protected by your Windows® password.

A third party can access your private key only by (i) having access to the file your key is stored in (which is usually part of your system's configuration information) and (ii) knowing your private password. Some software permits you to choose to not have a password protect your private key. If you use this option, then you are trusting that no one, presently or in the future, will have unauthorised access to your computer.

In general, it is far easier to use a password then to completely safeguard your computer physically. Not using a password is like pre-signing all of the checks in your checkbook and then leaving it open on your desk.
Return to top of page.


Q: How should I protect my private key?

A: Protect your computer from unauthorised access by keeping it physically secure. Use access control products or operating system protection features (such as a system password). Take measures to protect your computer from viruses, because a virus may be able to attack a private key. Always chose to protect your private key with a good password. See http://csrc.nist.gov/publications/nistbul/csl96-08.txt concerning private key security and http://csrc.nist.gov/publications/nistbul/csl90-08.txt concerning computer virus attacks.
Return to top of page.


Q: What is a "good" password?

A: A good password is one that is long enough and unusual enough that an exhaustive search (such as by using a dictionary) is not likely to reveal it. A good password is easy for you to remember but difficult for someone else to guess. Use a password of at least eight characters. Do NOT use something obvious or easily traceable to you, such as your telephone number, birth date, or the name of a member of your family. Do NOT use an ordinary English word, a familiar jargon term, or a password that you have previously used. If you write down your password, do not store it in an easily accessible place. See http://csrc.nist.gov/publications/fips/fips112/fip112-1.wp and http://csrc.nist.gov/publications/fips/fips112/fip112-2.wp (both Word Perfect files) concerning password usage.
Return to top of page.


Q: I use Netscape 3.X. Where do I enter the password that protects my private key?

A: Netscape refers to your private key password as your "Netscape Password." Netscape will prompt you when the browser requires you to enter it. Note: You should *never* enter your Netscape Password in a form retrieved over the Internet. Only enter it on local generated Netscape dialog boxes.
Return to top of page.


Q: I use Microsoft Explorer 3.X. Why didn't it ask me for a password when I generated my key?

A: Microsoft Explorer protects your private key with the Windows log on password, not with a separate password. Return to top of page.


Q: I saw a form on a Web page that asked for my Netscape (private key) password. Why do they need it?

A: They DON'T. Never provide your private key password to anyone. No legitimate business ever needs to know this information.
Return to top of page.


Q: Where does my computer store my private key?

A: Your private key is typically stored in encrypted format in a Preferences or Configuration file that can only be unlocked (decrypted) using your private key password. For example, for Netscape version 3.0 for Macintosh, it is stored in the Security sub-folder of the Netscape folder (in the Mac Preferences folder) in a file named "Key Database." Different programs may store your private key in different places.
Return to top of page.


Q: I need to use my Digital ID at home and at work. Can I safely move my private key and Digital ID files from one computer to another?

A: It is possible to move your key and Digital ID files from one computer to another, as long as both computers are running the exact same software. You may need to talk to your software vendor to see if this is possible with the applicable software. It is very important that you use a secure password to protect your private key if you intend to move the key from machine to machine.
Return to top of page.


Q: Can I change my private key password without getting a new certificate?

A: Yes. Your private key password encrypts your certificate's private key. You can change this password (thereby reencrypting your private key) using the program you used to create it. For example, with Netscape you can change your password from the "Passwords" dialog accessed from the Security Preferences menu. You should immediately change your password if you think someone else may have learned it.
Return to top of page.


Q: I forgot my private key password. Can someone change it for me?

A: No. If you have forgotten your private key password, no one can help you. You will have to generate a new set of keys and obtain a new certificate. Any secure E-mail message (S/MIME) encrypted using your public key will be effectively lost. In some cases you might also have to reinstall your E-mail software and Web browser as well.
Return to top of page.


Q: No one can help me if I forgot my password. That doesn't sound very friendly. Why?

A: There is a trade-off between security and convenience. If there was some way for another person to recover your private key password for you, then he or she could steal it and use it for purposes you might not approve of. Certificates (Digital IDs) are still new, and not all of the features one might like to see are available yet. In the future it will be possible to save an unencrypted copy of your private key (so no password is required) on a floppy disk which you could then put in a safe place, such as a safe deposit box. Both Microsoft and Netscape are working on such a system. You could then use that floppy to recover your certificate's private key if you lose the password that normally encrypts it.
Return to top of page.


Q: Someone stole my computer. Do they have my certificate's private key now?

A: If you used a good password to protect your private key, then it is unlikely that the thief will be able to use your private key. However, you should still contact the CA that issued your certificate and request that it revoke your certificate and issue you a new one (with a new public and private key).
Return to top of page.


Q: Someone stole my computer, and I had elected to NOT password-protect my private key. What do I do now?

A: Immediately notify your CA that your key has been compromised. It will arrange to revoke your certificate and get you a new one. Note: Although relying parties should always check the revocation status of a Digital ID, some relying parties might not have done so. It is a good idea to inform anyone that may be affected that your private key has been compromised.
Return to top of page.


Q: I rely on my Digital ID for very confidential communications. Is there any way I can further protect my private key?

A: There are two types of hardware devices available that are more secure than your hard drive for storing your private key. These are known as tokens (typically PCMCIA cards or special floppy disks) and smartcards. Contact your software vendor to see if it supports these devices.

Return to top of page.
CONTACT US
Ph: +61 3 9674 5500
Em: sales@verisign.com.au
 Submit an Enquiry
About VeriSign

About VeriSign
Corporate Fact Sheet
News Centre
VeriSign Events

Products & Services
Security Whitepapers


Key Products
SSL Digital Certificates
Managed PKI
Gatekeeper Digital Certificates
Unified Authentication