Secure online issuance of customer-specific certificates with offline key generation

What is claimed is: 1. A method of providing a customer-specific digital certificate to a client device of a plurality of client devices, the method comprising: receiving, in an online certificate authority, a pre-generated digital certificate and an encrypted client device private key encrypted according to a private key encryption key PrKEK; receiving, from the client device, a request for the customer-specific digital certificate, the request comprising at least one of client device identifying information and information identifying the customer, the request signed according to a pre-provisioned client device digital certificate; building the customer-specific digital certificate from the pre-generated digital certificate, a selected target digital certificate template, the client device identifying information, and the customer identifying information, comprising: identifying the client device from the client device identifying information; identifying the customer; retrieving the pre-generated digital certificate; selecting the target digital certificate template for the client device based at least in part upon the information identifying the customer, the target digital certificate template having attributes that vary according to the customer; generating the customer-specific digital certificate according to the retrieved pre-generated digital certificate, the target digital certificate template and the client device identifying information; accessing a customer-specific digital certificate signing key from a certificate authority associated with the identified customer; re-signing the customer specific digital certificate with the customer specific digital certificate signing key; and transmitting the customer-specific digital certificate and the encrypted client device private key to the client device; wherein the customer-specific digital certificate is the pre-generated digital certificate uniquely associated with the client device identifying information; and the pre-generated digital certificate is one of a batch of pre-generated digital certificates for a group of the plurality of client devices of which the client device is a member, and is provided to an online certificate authority before receiving the request for the customer-specific digital certificate. 2. The method of claim 1 , wherein: the pre-provisioned client device digital certificate is a global digital certificate; and the client device identifying information is explicitly provided in the request for the customer-specific digital certificate. 3. The method of claim 1 , wherein: the pre-provisioned client device digital certificate is unique to the client device; and the client device identifying information is determined from the pre-provisioned client device digital certificate. 4. The method of claim 1 , wherein: the system comprises a plurality of customers providing services to the plurality of client devices; and the private key encryption key PrKEK is a common encryption key shared among all devices for all customers. 5. The method of claim 1 , wherein: the system comprises a plurality of customers providing services to the plurality of client devices, and the private key encryption key PrKEK is different for each of the plurality of customers. 6. The method of claim 5 , wherein: the private key encryption key PrKEK is different for each of the plurality of client devices. 7. The method of claim 1 , wherein the client device identifying information is a MAC address of the client device. 8. The method of claim 7 , wherein the information identifying the customer includes one or more of: a customer identifier; a device credential profile identifier of the client device; and a MAC address of the client device. 9. The method of claim 1 , wherein: identifying the client device from the client device identifying information comprises: extracting the client device identifying information from the pre-provisioned client device digital certificate; and identifying the customer comprises: identifying the customer according to a comparison between the client device identifying information and a pre-determined mapping of the client device identifying information and the customer provided to an online certificate authority. 10. The method of claim 1 , wherein: identifying the client device from the client device identifying information comprises: extracting the client device identifying information from the request for the customer-specific digital certificate; and identifying the customer comprises: extract the customer identifying information from the request. 11. The method of claim 1 , wherein: the client device pre-provisioned digital certificate comprises a MAC address of the client device; and the customer is identified according to a comparison of the MAC address of the client device and whitelist of MAC addresses for each of the plurality of customers. 12. The method of claim 1 , wherein each pre-provisioned client device digital certificate is pre-installed in the associated client device at a factory producing the client device. 13. In a system comprising a plurality of customers providing services to a plurality of client devices, an apparatus for providing an customer-specific digital certificate to a client device of the plurality of client devices, comprising: a processor; a memory, communicatively coupled to the processor, the memory storing processor instructions comprising processor instructions for: receiving, in an on line certificate authority, a pre-generated digital certificate and an encrypted client device private key encrypted according to a private key encryption key PrKEK; receiving, from the client device, a request for the customer-specific digital certificate, the request comprising at least one of client device identifying information and information identifying the customer, the request signed according to a pre-provisioned client device digital certificate; and building the customer-specific digital certificate from the pre-generated digital certificate, a selected target digital certificate template, the client device identifying information, and the customer identifying information, comprising: identifying the client device from the client device identifying information; identifying the customer; retrieving the pre-generated digital certificate; selecting the target digital certificate template for the client device based at least in part upon the information identifying the customer, the target digital certificate template having attributes that vary according to the customer; generating the customer specific digital certificate according to the retrieved pre-generated digital certificate, the target digital certificate template and the client device identifying information; accessing an customer-specific digital certificate signing key from a certificate authority associated with the identified customer; re-signing the customer specific digital certificate with the customer specific digital certificate signing key; and transmitting the customer-specific digital certificate and the encrypted client device private key to the client device; wherein the customer-specific digital certificate is the pre-generated digital certificate uniquely associated with the client device identifying information; and the pre-generated digital certificate is one of a batch of pre-generated digital certificates for a group of the plurality of client devices of which the client device is a member, and is provided to an online certificate authority before receiving the request for the customer-s