With RSA encryption, should I use the same certificate to sign and encrypt a message?

Question

If I want to sign and encrypt a message using an X509 certificate, is there any reason not to use the same certificate for encryption and signing?

Answer 1

An X509 certificate contains a public key. To encrypt, you use the recipient's public key presumably obtained from their certificate. To sign, you use your private key, presumably from a secure store. The recipient verifies the signature using your public key, presumably from your certificate. Those are the basics.

Answer 2

The sender uses his own private key to sign a message. The message is encrypted with the recipient public key. A certificate contains a public key. Presumably, the sender public key (corresponding to the sender private key used for signing the message) is also represented in a certificate.

The recipient uses his own private key (corresponding to the public key in his certificate) to decrypt the incoming message. The recipient uses the sender public key (from the sender certificate) to verify the signature.

That being said, you may envision a generic scenario where everybody can send and receive email. Therefore, everyone has a key pair (with public part in a certificate) which is used to encrypt and decrypt emails (Bob's public key is used to encrypt emails sent to Bob, and Bob uses the corresponding private key to decrypt them, i.e. to read the emails). Also, everyone has a key pair for signatures (Bob uses his private key to sign the messages that he sends, Alice uses Bob's public key to verify the signatures purportedly computed by Bob). The question is then: will Bob have two key pairs (one for encryption/decryption, and one for signature/verification), or only one key pair which is used for both jobs ?

It so happens that the RSA public encryption algorithm and the RSA signature algorithm can use the same kind of key, called (quite logically) "RSA keys". So this is doable, and actually it happens quite often.

However, generally speaking, signature keys and encryption keys have distinct life cycles and management procedures. In a business context, the direction keeps in a safe a copy of all private keys used for encryption, because losing an encryption key means losing data. And employees can become "unavailable" (employee is fired, employee retires, employee is hit by a bus...). Conversely, when a signature key is lost, previously emitted signatures are still valid and verifiable, so one simply has to create a new key pair to be able to produce other signatures. Besides, digital signatures may get a strong legal status only if there is no copy of the key in a safe somewhere. So the general advice is to keep encryption and signature keys separate. Using the same key for both is an approximation which may have unwanted side-effects (such as data loss or lack of legal value). Depending on the context, this may or may not be a problem.