Should I reject a CSR when the host emailed me the private key for SSL certificate request?

Yes, you should absolutely reject the CSR. Additionally, you should change your hosting provider as it looks like they don't know what they are doing.

It is already bad enough that they sent you the private key via e-mail i.e. via an insecure medium. However, they also Cc'ed it to someone else, which is a complete breach of confidentiality.

Furthermore, I wonder why they sent you the private key -- it's supposed to be installed on the server, which is something they can do by themselves.


If I were in your place I would refuse to accept this SSL certificate. The reason for that is, if someone broke into either of the emails that received the private key, they would be able to download it, and then impersonate the server in different attacks on clients, like man in the middle or similar. Also in the case that one of the receiving email addresses was written incorrectly, someone may already have the private key. There are also probably many more scenarios where this private key could be downloaded and used by an attacker.

Also notifying the company about not sharing the private key should be important, to make sure that the company won't sent the private key anywhere else - the private key was sent to you, and some other CC's in this email, but you can not know whether the company didn't sent a separate email with the private key somewhere else.

There is a reason why the private key is called a private key

Please note that this is mostly my personal opinion, and that I am not an expert with SSL.


Yes, you definitely should reject the CSR.

As to whether you should reconsider the hosting provider, it depends.

They even CC'd someone else,

Is there any reasons why the hosting company should know your internal company structure? Is the person doing this a designated account manager that has been specifically assigned to your company and are responsible for knowing who's who in your company? Did your company provide sufficient briefing to the account manager of how your company is structured and who's authorized to do what? If not, then it may be partly your (company's) fault for not making it clear to them how they should send the key to you.

In most hosting accounts, if you don't have a designated account manager who is familiar with your line of business, you should have made it very explicit to their technical support how to send the keys to you, who should receive it, and whether or not you want to receive the key in the first place. Don't assume that a technical support personnel knows your company's situation, and never assume that a technical support personnel who isn't your designated account manager to remember who you are from a previous interaction.

and it's in Gmail

You do realize that sending a CSR through email is also not very secure right? It's quite possible for someone (an insider working in Gmail or an APT), to intercept the email containing the CSR, replace the CSR the host sends you with their own CSR, and sign the hosting company's CSR to the hosting company themselves. This would allow them to later use the forged certificates to MITM between you and your users and the hosting company.

A CSR must be delivered over authenticated channel (e.g. they submit the certificate to a HTTPS site you control or they should sign the CSR with a GPG key they publish on their site), or at the very least you should do a fingerprint verification and both you and your host need to have a way to identify and authenticate the other party. Setting up an authenticated channel can be quite an involved process, and isn't something that's going to be available in lower cost hosting provider or those that doesn't specialize in high security business hosting.

If you don't specify how your company requires the CSR to be delivered, and especially if you are not handled by an account manager who should know what kind of business you are doing, then most hosting company would reasonably assume that you are a minimum security company. Most people working in minimum security company would consider having a copy of the private key to be higher value than the security of not controlling the key, it's not unreasonable for them to assume so from you.