When private keys are created by snort it should warn the user that those keys are compromised and can be used by snort to sign anything. Just the same general problem before extensions were common