I recently wrote about the subject of asymmetric keys. Asymmetric keys consist of two keys: a public key and a private key. Remember that a sender uses their private key to encrypt messages and a receiver uses the sender’s pubic key to decrypt the encrypted message. But how are these public key pairs created?

There are two methods for creating public asymmetric keys. Some systems can generate the public key pair on the sender’s host. Other systems will generate the public key pair when creating a certificate. The certificate includes the sender’s name, their public key and a digital signature.

When a user (sender) creates their own public key pair they first create the public key pair, keep their private key and then send their public key to a Certificate Authority (CA) who uses that information to create a certificate.

When a Certificate Authority creates the public key pair the CA first creates the public key pair, creates a signed certificate and then sends the public key pair and the certificate to the user (sender).

Each method has its advantages and disadvantages. In the case where a user (sender) creates their own public key pair the user has the responsibility of sending the public key pair to the CA but does not worry about their private key being copied or backed up on the CA’s server. If the CA generates the public key pair then this makes less work for the user (sender) and generating keys can be performed multiple times for multiple users using the same key generation algorithms. And the only backups needed are done on the servers. But the private key must be copied and then delivered to the user (sender).

There is the additional advantage of less copies, less movement and thus less risk of  having one’s private key stolen when the public key generation method chosen is the method of performing one’s own public key generation on one’s own personal computer. Similarly, personal keys used for digital signatures are safer when they can’t be copied or backed up from a server that is not under one’s control such as a server used by a Certificate Authority. But keep in mind that the public key will still need to be delivered to a Certificate Authority to create a certificate which can be considered an inconvenience to the user (sender).

The bottom line is that you must weigh less risk versus convenience when choosing a method on how to create a public key.