What makes my certificate secure?

Certificates contain both a public and a private key. The public key can be shared with anyone whom you wish to be able to decrypt your data and/or sign the files they send to you, but the private key must never be given to anyone.

As part of the process of purchasing a certificate, the applicant's machine generates both the public and the private key for his own certificate. These are referred to as "paired keys". Once the keys have been generated, a Certificate Signing Request (CSR) is created, containing the public key generated by the applicant's machine. This is then sent to the Certificate Authority (CA) server, automatically.

When a certificate is issued, the CSR is digitally signed, using the applicant's public key, to generate a CA-issued certificate. The certificate is then made available to the applicant for downloading.

When the certificate is received, the applicant's machine knows it must add the private key from the "paired key" combination to complete the certificate. The new certificate now contains the public and private keys generated from the applicant's own machine. As this process demonstrates, the certificate is secure because the private key never leaves the user's machine.

Please note that applicants must download the certificate onto the same machine from which they purchased the certificate, in order to combine the CA-issued certificate with the private key. Should a user wish to purchase a certificate for a machine different from the machine that they are purchasing from, they should manually generate a CSR and paste it into the CA web site when prompted.