At ZeroSSL, security on our platform and on the web, in general, are two of our top priorities. Our team has worked long and hard in order to come up with an SSL certificate workflow that provides both a high level of security, as well as the highest possible level of usability and convenience for our customers.
CSR and Private Keys
One of the reasons creating, renewing, and managing SSL certificates using ZeroSSL is as easy as skipping through a few buttons is a secure system where the certificate key pair (consisting of CSR/public key and private key) is generated on the client-side rather than on the server-side.
Private keys are confidential and can never be stored on any server other than our customer's server in a decrypted format, which is why our system is making use of a unique encryption method, which ensures that functional private keys can only ever be retrieved by our customers when logged in to their ZeroSSL account.
Here is how our encryption method works:
With each login or registration, a user account is assigned a unique encryption key, which is stored locally in the browser. When creating a certificate using ZeroSSL, a key pair is generated, and this very encryption key is used to uniquely encrypt the key pair's confidential private key.
Upon completion of the order process of a certificate, the public key (CSR), as well as the encrypted private key, are stored securely on the ZeroSSL system, waiting to be retrieved whenever the customer requests to download a ZIP containing their certificate files. When a download request comes in, the certificate files, as well as the encrypted private key, are provided by the server to the client (browser). In the next step, the browser retrieves its unique encryption key and uses it to decrypt the encrypted private key returned from the server. Apart from the local browser itself, no other system is capable of performing this decryption.
Finally, a ZIP-file is created automatically by the client (browser) and the certificate download can be processed. The downloadable ZIP-file typically contains two certificate files (certificate.crt and ca_bundle.crt) as well as the functional decrypted private key (private.key).