* The distribution channels used (e.g. unencrypted email) may not be adequately secured.
CAs must never generate the key pairs for signer or SSL certificates. CAs may only generate the key pairs for SMIME encryption certificates. Distribution or transfer of certificates in PKCS#12 form through unsecure electronic channels is not allowed. If a PKCS#12 file is distributed via a physical data storage device, then:
* The storage must be packaged in a way that the opening of the package causes irrecoverable physical damage. (e.g. a security seal)