Is the private key for S/MIME certificates generated on the CA servers or in the browser?

Question

I heard that some certificate authorities generate your private key for S/MIME certificates on their servers. However, some of them who recommend using Internet Explorer for this purpose, probably, generate the private key directly in your browser and after that send the email with the generated certificate to the email whose common name is indicated in the certificate.

So, I am not quite sure about the whole situation. If they really generate the private key on their servers, can it be considered safe?

Could you help to clarify this situation?

score 1 · Accepted Answer · answered Dec 19 '19 at 21:53

A thread from a sister site where this question is discussed: https://security.stackexchange.com/questions/41126/whats-a-trustworthy-s-mime-certificate-provider-that-generates-my-private-key-i/41129#41129

The short version is that modern browsers often are capable of generating private keys, and so this kind of service may probably be considered safe if the CA has a good reputation.

Is the private key for S/MIME certificates generated on the CA servers or in the browser?

1 Answers1