About private key generation

[rajesh1084]

This could be a noob question -
when we request the step-ca server for a certificate using the command step certificate create <subject> <crt-file> <key-file>, who generates the key-file? If it's generated by the server, then I'm little concerned about it being sent via the network. And if it's generated at the client end, I expect only the CSR file to be sent across the network for signing (not the private key).

Please clarify.

[tashian]

Hi! Thanks for your question.

The step certificate create command is only for local certificate or CSR creation. It won't talk to the CA.

I'm going to assume you meant step ca certificate though.
For this command, the private key is generated locally, and a CSR and token are sent to the CA for signing.

You can also specify your own private key, and use the step ca sign command, passing the CSR directly in.
For example:

step crypto keypair foo.pub foo.key --kty EC
step certificate create --csr --key key.key foo foo.csr
step ca sign foo.csr foo.crt