ASP certificate options and requirements

Every ASP needs to have an ASP public/private key pair with an associated certificate or certificate chain. The ASP can generate the key pair and the certificates, or purchase them from a verified third-party certification authority (CA), such as VeriSign, GlobalSign, Comodo, or DigiCert.

ASPs that intend to generate the key pairs and the certificates themselves can choose from the following options:

• Option 1: Self-signed certificate
• Option 2: Two-level certificate chain
• Option 3: Three-level certificate chain

Requirements for ASP key pairs and certificates

The ASP certificates must meet the following requirements:

• The key pairs and the certificates should use either the RSA PKCS #1 v1.5 or the RSA PSS digital signing algorithm. OneSpan recommends the RSA PSS digital signing algorithm.
• All key pairs should have a key length of at least 2048 bits.

• All certificates should use one of these hash functions:

  • SHA-256
  • SHA-384
  • SHA-512
• The lifetime of the ASP leaf certificate should not be longer than five years.
• The lifetime of the ASP root certificate and the intermediate certificate should not be longer than ten years.