Generating the ASP certificates
Every ASP needs to have an ASP public/private key pair with an associated certificate or certificate chain. The ASP can generate this key pair and certificates, or purchase them from a well-known third-party certification authority (CA), such as VeriSign, GlobalSign, Comodo, or DigiCert.
The next sections explain how ASPs can generate the key pairs and certificates themselves. The following options are considered:
- Option 1: Generating the ASP certificate: Self-signed certificate
- Option 2: Generating the ASP certificate: Certificate chain with two levels
- Option 3: Generating the ASP certificate: Certificate chain with three levels
Requirements for ASP key pairs and certificates
The following requirements apply to the ASP's certificates:
-
Key pairs and certificates should use either the RSA PKCS #1 v1.5 or RSA PSS digital signing algorithm. OneSpan recommends the RSA PSS digital signing algorithm.
- All key pairs should have a key length of at least 2048 bits.
- All certificates should use one of these hash functions:
- SHA-256
- SHA-384
- SHA-512
- The lifetime of the ASP leaf certificate should be at most five years.
-
The lifetime of the ASP root and intermediate certificate should be at most ten years.