Hardware Central key generation with Venafi Advanced Key Protect
With hardware central key generation, Trust Protection Platform connects directly to the HSM, and instructs the HSM to create the private key. Trust Protection Platform then exports the key where it is stored. Trust Protection Platform uses the key to sign the CSR.
Using an HSM for private key generation for SSH keys and certificates
Once Venafi Advanced Key Protect is enabled on your system, if you want to use an HSM to generate private keys for certificates, you can either configure the Key Generation option at the policy level (on the Certificate tab) in Policy Tree, or you can change the Default Key Generation option on the encryption tree root.
If you want to use the HSM for generating SSH keys and a software driver for certificates, you need to set the Default Key Generation option on the encryption tree root to the HSM in Policy Tree. For certificates, you can override this setting by changing the Key Generation option on the Certificate tab at the policy level. For configuration information, see Configuring the root encryption driver.
Venafi Advanced Key Protect system requirements for supported HSMs
Starting with the specified client versions, the following HSMs are supported for central key generation by Venafi Advanced Key Protect and private key storage for Venafi CodeSign Protect.
IMPORTANT Venafi claims minimum supported HSM versions and expects the HSM vendors to be fully backwards compatible. If there are issues found, we will actively test against the newer version.
Supported HSM |
Encrypt Secrets |
Private Key Generation1 |
Code Signing Certificate Private Key Storage2 |
Minimum Client Version |
---|---|---|---|---|
Entrust nShield Connect HSM |
|
|
|
12.40.2 |
Thales SafeNet Luna SA (including Azure Dedicated HSM) |
|
|
|
6.2.24 NOTE Thales SafeNet Luna SA version 6.3 is known to have issues with Trust Protection Platform. We recommend not using version 6.3. |
Vendor Self-Certified HSMs
NOTE The HSM Partners on the list below have gone through the process of self-certification. This process involves testing the specific PKCS#11 mechanisms that Trust Protection Platform uses when an HSM is used to protect things like private keys and credential objects, and when Advanced Key Protect is enabled.
Self- certification means that the partner has done the testing and proven successful results and integration with Venafi. Successful self-certification results indicate that the integration will work as expected. The HSM vendor may need to be engaged if something is working unexpectedly.
HSM |
Encrypt Secrets |
Private Key Generation5 |
Code Signing Certificate Private Key Storage6 |
Firmware Version |
---|---|---|---|---|
Atos Trustway Proteccio | 1.47 | |||
AWS CloudHSM | 2.4 | |||
Crypto4A QxEDGE | 1 | |||
Entrust nShield as a Service | 12.6 | |||
Fortanix Data Security Manager | 4.19 | |||
FutureX Vectra Plus | 4.13 | |||
Gradiant KeyConnect | 1 | |||
Securosys Primus HSM and Cloud HSM Service | 2.8 | |||
Thales Data Protection on Demand | 7.3 | |||
Thales TCT T-Series Luna | 7.13.1 | |||
Utimaco CryptoServer | 2.3 |