Hardware central key generation with Venafi Advanced Key Protect

With hardware central key generation, Trust Protection Platform connects directly to the HSM, and instructs the HSM to create the private key. Trust Protection Platform then exports the key where it is stored. Trust Protection Platform uses the key to sign the CSR.

Using an HSM for private key generation for SSH keys and certificates

Once Venafi Advanced Key Protect is enabled on your system, if you want to use an HSM to generate private keys for certificates, you can either configure the Key Generation option at the policy level (on the Certificate tab) in Policy Tree, or you can change the Default Key Generation option on the encryption tree root.

If you want to use the HSM for generating SSH keys and a software driver for certificates, you need to set the Default Key Generation option on the encryption tree root to the HSM in Policy Tree. For certificates, you can override this setting by changing the Key Generation option on the Certificate tab at the policy level. For configuration information, see Configuring the root encryption driver.

Venafi Advanced Key Protect system requirements for supported HSMs

Starting with the specified client versions, the following HSMs are supported for central key generation by Venafi Advanced Key Protect and private key storage for Venafi CodeSign Protect.

IMPORTANT  Venafi recommends you consult the partner documentation for minimum supported versions.

TIP  The following tables show vendor support for generating private keys. In all cases, this refers to Hardware Central Key Generation. Learn more about Supported methods of key generation.

Supported HSM

Docs

Encrypt Secrets

HCKG for private keys1

Code Signing Certificate Private Key Storage2

Entrust nShield Connect HSM

Partner PDF

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported

Thales SafeNet Luna SA (including Azure Dedicated HSM)

Partner Docs

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported

Vendor Self-Certified HSMs

NOTE  The HSM Partners on the list below have gone through the process of self-certification. This process involves testing the specific PKCS#11 mechanisms that Trust Protection Platform uses when an HSM is used to protect things like private keys and credential objects, and when Advanced Key Protect is enabled.

Self- certification means that the partner has done the testing and proven successful results and integration with Venafi. Successful self-certification results indicate that the integration will work as expected. The HSM vendor may need to be engaged if something is working unexpectedly. Consult the partner's documentation to know what firmware version requirement is.

HSM Vendor

HSM Product

Docs

Encrypt Secrets

HCKG for private keys3

Code Signing Certificate Private Key Storage4

Atos

Trustway Proteccio

PDF (no public link; contact vendor) Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported
AWS CloudHSM Venafi Docs Green check mark, indicates feature is supported   Green check mark, indicates feature is supported

Crypto4A

QxEDGE

  Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Entrust

Entrust nShield as a Service

Partner Docs Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Fortanix

Fortanix DSM

Partner Docs Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported

FutureX

Vectra Plus

Partner Docs Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Gradiant

KeyConnect

      Green check mark, indicates feature is supported

Securosys

Primus HSM and Cloud HSM Service

Partner Docs (Login required) Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Thales TCT

T-Series Luna

Partner Docs Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Thales

Data Protection on Demand

Partner Docs Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Utimaco

CryptoServer

Partner Docs (Login required) Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported