Knowledge Base

Description

What is a private key?

Where is the private key located?

How do I install my certificate?

What is a private key?

A private key is a file that helps to enable secure connections through encryption. As the name implies, this is a file that is to be kept private and secure, a certificate authority (CA) such as DigiCert will not and should never have access to this file, and other access should be as limited as possible. 

Only administrators working to secure your website or other connections should have access to the private key.

Where is the private key located?

The private key will be located on the system or appliance the certificate signing request (CSR) was generated.

• On a Windows server:
  It is stored in a hidden folder in a non-useable format. Our Digicert utility for Windows has various features to help you use your certificate and private key. (See How do I install my certificate? for more details)
  
• On a Linux machine:
  The most common way to create a CSR is by using openssl commands. The commands used will generate the CSR and private key files wherever is designated, typically in the same folder.
  
• On firewalls, load balancers, and third-party applications:
  The CSR and private key is often created on the appliance itself, CSR creation and certificate installation processes are unique to the device.
• If you are still not sure where your private key is, or are receiving errors related to the private key, it is often quickest to create a new CSR, which creates a new private key.
  • Create a new CSR for a Windows machine using the DigiCert SSL Utility
  • Use our openssl wizard for easy copy/paste command line
  • CSR generation walkthrough for various systems and appliances
    
    From there, you will need to reissue your certificate.
    Once the new certificate is processed, you are ready to install that certificate onto the same machine where the CSR was created.
• Private Keys for Code Signing only:
  Code signing private keys and certificates must be stored and installed on tokens or HSMs (hardware security modules) certified as at least FIPS 140-2 Level 2 or Common Criteria EAL 4+ as of  June 1, 2023.
  The private key will be located on the HSM or FIPS compliant device and cannot be located on a physical machine (non HSM) anymore. 
  
  What if the private key cannot be found? 
  If the private key is lost, you should reissue the code signing certificate with one of the following provisioning methods:
  • Preconfigured hardware token  
  • Existing hardware token 
  • Installed to HSM

How do I install my certificate?

After creating your CSR, which generates the private key, and ordering your certificate from Digicert, you are ready to install your certificate. The easiest way to install a certificate on a Windows server is to then use our DigiCert SSL Utility to import your certificate. This will bind the certificate to the private key so it can be used on that machine within services such as IIS or Exchange.

You can also export your certificate as a PFX or as separate certificate and key files using the utility, and use the relevant files wherever you need.

Note: A pfx or p12 file is in PCKS12 format, which includes your certificate and private key and will be password protected and should only be shared with those who need it. ( See: What is a private key?)

We also have many installation guides for various servers and platforms.