Public CAs that allow you to submit a CSR for a client identity cert

I'm trying to get a client identity cert ("SSL Client"/"TLS Web client authentication") from a public CA for use with an API I am building. All the CAs I have looked at seem to assume that when someone wants a client identity cert, they want it for email signing/encryption and by extension, they want to generate the private key (typically using a browser call to the Windows CryptoAPI service — not that the CA is directly creating and seeing the private key) at the same time as issuing a signed public cert. I get how this process might make sense for a S/MIME cert, but for a service account that needs a client identity cert, I want to generate the key directly in my application, and then simply supply a csr to the CA to get a signed public cert back. It doesn't seem like I should have to allow the CA to generate my private key for a client identity cert.

Is this behavior typical for popular public CAs? Is there one that will let me submit a CSR and get back a signed certificate with the Key Usage/Extended Key Usage values appropriate for a TLS Web client authentication certificate?

Touch here for the full post on Network Security Noblemen tumblr


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s