ASP certificate options and requirements

Every ASP needs to have an ASP public/private key pair with an associated certificate or certificate chain. The ASP can generate the key pair and the certificates, or purchase them from a verified third-party certification authority (CA), such as VeriSign, GlobalSign, Comodo, or DigiCert.

ASPs that intend to generate the key pairs and the certificates themselves can choose from the following options:

Requirements for ASP key pairs and certificates

The ASP certificates must meet the following requirements:

  • The key pairs and the certificates should use either the RSA PKCS #1 v1.5 or the RSA PSS digital signing algorithm. OneSpan recommends the RSA PSS digital signing algorithm.
  • All key pairs should have a key length of at least 2048 bits.
  • All certificates should use one of these hash functions:

    • SHA-256
    • SHA-384
    • SHA-512
  • The lifetime of the ASP leaf certificate should not be longer than five years.
  • The lifetime of the ASP root certificate and the intermediate certificate should not be longer than ten years.