Where Key pair is generated (At Registration Authority Side or Certificate Authority Side )if i want Certificate with PKCS 12 certificate format

Question

I have developed a USB Based Hardware Token which will perform the cryptographic operations like Key pair generation,Digital Signature Creation,Signature Verification,etc.. I'm having the following questions in my mind kindly provide the answers.

"If i need a certificate with PKCS #12 format where should i generate key pair? "

"If I’m generating key pair in the token, how my private key will be sent to Certificate Authority "

"Where exactly key pair is generated and what is traveling across the network either Private key or Certificate (Anyway both contain private key ) . Please help me.

Answer 1

If i need a certificate with PKCS #12 format where should i generate key pair?

A pkcs#12 file contains the public and the private key, so you should generate the keypair in the place where you can later retrieve them and pack them. Usually private keys generated in a USB token are non extractable. In this case you could not generate a p12 file with the private key

If I’m generating key pair in the token, how my private key will be sent to Certificate Authority

You do not need to send the private key to the Certificate Authority. You generate a Certificate Signing Request (CSR) which contains some information required for the creation of the certificate and the public key of the key pair. The CSR is signed with the private key and sent to the CA, that will return you a a certificate signed with CA's private key

Where exactly key pair is generated and what is traveling across the network either Private key or Certificate (Anyway both contain private key )

See my previous comment and please read Certificate enrollment process