Certificate download security?

I’m curious to know more about the certificate generation and download process.

I signed up, you sent an email, and then I downloaded the CollectCCC.p7s file which the browser loaded into my keychain and finally accessed by my email client.

The question is concerning the p7s generation and download. Does this file include the private key? Was it generated on your server and then sent to me? If so, does this not imply that you then have access to my private key, as well as anyone conducting a man-in-the-middle attack, or corporate/government agencies you might choose to share with?

Hi ejtttje,

A Key pair (public and private) is generated on the User’s PC. Then Certificate signing request (CSR) is generated to apply for for a digital identity certificate. The CSR contains information identifying the applicant, and the public key chosen by the applicant. The corresponding private key is not included in the CSR, but is used to digitally sign the entire request.
If the request is successful, the Comodo certificate authority (CA) will send back an e-mail with link to collect the certificate. You’re collecting it (with the browser or Comodo SecureEmail (CSE)) and got an identity certificate that has been digitally signed with the private key of the certificate authority (CA).

As you can see Comodo doesn’t have access to the private key and can’t share it to corporate/government agencies. Also no man-in-the-middle attacks are possible.

Feel free to ask any other questions about Comodo certificates and CSE.

Regards, Eugene.