When security parameters are initially set up for devices, a process also often referred to as “bootstrapping”, a key pair comprising a public and a private key is typically generated by a device itself. The public key can be signed by a certificate issuing agency, also often referred to as a Certification Authority (or CA for short) by means of a request message which is usually embodied in the form of a Certificate Signing Request (for short also: CSR or Certificate Request). The Certificate Signing Request cited is defined in RSC 2986, PKCS#10. The certificate is then sent to the device and can subsequently be used in security applications, for example in order to authenticate the device to an infrastructure. The term “device” shall be understood here and in the following description to mean any component and any service that are considered as suitable candidates for certification by a certification authority.
In conventional present-day methods for issuing a digital certificate by a certification authority, a public key PubKey_A generated by the device is sent by means of a CSR signed by the device with a private key PK_A generated by it to the certification authority. By verifying the signature the certification authority checks whether the device which sent the CSR is in possession of the corresponding private key PK_A. In addition device data can also be sent as part of the CSR in what are termed attributes, although said data cannot be verified by the certification authority.
However, it is often not enough merely to verify whether the device which sent a CSR is also in possession of the corresponding private key. This is because in this way it is only possible to check whether a device is able to send a signed CSR, as sent by original devices. The originality or authenticity of the device itself cannot, however, be checked by means of the methods that are customary today. A frequently employed countermeasure to deal with this problem is to transport the CSR in a secure manner, in other words, for example, through a physically separate network or by trusted service personnel on data media, such as USB sticks for example, so that in this way certificates are only generated by the certification authority for authentic CSRs and consequently for original devices.