Generating the ASP certificates

Every ASP needs to have an ASP public/private key pair with an associated certificate or certificate chain. The ASP can generate this key pair and certificates, or purchase them from a well-known third-party certification authority (CA), such as VeriSign, GlobalSign, Comodo, or DigiCert.

The next sections explain how ASPs can generate the key pairs and certificates themselves. The following options are considered:

• Option 1: Generating the ASP certificate: Self-signed certificate
• Option 2: Generating the ASP certificate: Certificate chain with two levels
• Option 3: Generating the ASP certificate: Certificate chain with three levels

Requirements for ASP key pairs and certificates

The following requirements apply to the ASP's certificates:

• Key pairs and certificates should use either the RSA PKCS #1 v1.5 or RSA PSS digital signing algorithm. OneSpan recommends the RSA PSS digital signing algorithm.

• All key pairs should have a key length of at least 2048 bits.
• All certificates should use one of these hash functions:
  • SHA-256
  • SHA-384
  • SHA-512
• The lifetime of the ASP leaf certificate should be at most five years.

• The lifetime of the ASP root and intermediate certificate should be at most ten years.