ASP certificate options and requirements
Every ASP needs to have an ASP public/private key pair with an associated certificate or certificate chain. The ASP can generate the key pair and the certificates, or purchase them from a verified third-party certification authority (CA), such as VeriSign, GlobalSign, Comodo, or DigiCert.
ASPs that intend to generate the key pairs and the certificates themselves can choose from the following options:
- Option 1: Self-signed certificate
- Option 2: Two-level certificate chain
- Option 3: Three-level certificate chain
The ASP certificates must meet the following requirements:
- The key pairs and the certificates should use either the RSA PKCS #1 v1.5 or the RSA PSS digital signing algorithm. OneSpan recommends the RSA PSS digital signing algorithm.
- All key pairs should have a key length of at least 2048 bits.
All certificates should use one of these hash functions:
- The lifetime of the ASP leaf certificate should not be longer than five years.
- The lifetime of the ASP root certificate and the intermediate certificate should not be longer than ten years.