Hardware central key generation with Venafi Advanced Key Protect
With hardware central key generation, Trust Protection Platform connects directly to the HSM, and instructs the HSM to create the private key. Trust Protection Platform then exports the key where it is stored. Trust Protection Platform uses the key to sign the CSR.
Using an HSM for private key generation for SSH keys and certificates
Once Venafi Advanced Key Protect is enabled on your system, if you want to use an HSM to generate private keys for certificates, you can either configure the Key Generation option at the policy level (on the Certificate tab) in Policy Tree, or you can change the Default Key Generation option on the encryption tree root.
If you want to use the HSM for generating SSH keys and a software driver for certificates, you need to set the Default Key Generation option on the encryption tree root to the HSM in Policy Tree. For certificates, you can override this setting by changing the Key Generation option on the Certificate tab at the policy level. For configuration information, see Configuring the root encryption driver.
Venafi Advanced Key Protect system requirements for supported HSMs
Starting with the specified client versions, the following HSMs are supported for central key generation by Venafi Advanced Key Protect and private key storage for Venafi CodeSign Protect.
IMPORTANT Venafi recommends you consult the partner documentation for minimum supported versions.
TIP The following tables show vendor support for generating private keys. In all cases, this refers to Hardware Central Key Generation. Learn more about Supported methods of key generation.
Supported HSM |
Docs |
Encrypt Secrets |
HCKG for private keys1 |
Code Signing Certificate Private Key Storage2 |
---|---|---|---|---|
Entrust nShield Connect HSM |
Partner PDF |
|
|
|
Thales SafeNet Luna SA (including Azure Dedicated HSM) |
Partner Docs |
|
|
|
Vendor Self-Certified HSMs
NOTE The HSM Partners on the list below have gone through the process of self-certification. This process involves testing the specific PKCS#11 mechanisms that Trust Protection Platform uses when an HSM is used to protect things like private keys and credential objects, and when Advanced Key Protect is enabled.
Self- certification means that the partner has done the testing and proven successful results and integration with Venafi. Successful self-certification results indicate that the integration will work as expected. The HSM vendor may need to be engaged if something is working unexpectedly. Consult the partner's documentation to know what firmware version requirement is.
HSM Vendor HSM Product |
Docs |
Encrypt Secrets |
HCKG for private keys3 |
Code Signing Certificate Private Key Storage4 |
---|---|---|---|---|
Atos Trustway Proteccio |
PDF (no public link; contact vendor) | |||
AWS CloudHSM | Venafi Docs | |||
Crypto4A QxEDGE |
||||
Entrust Entrust nShield as a Service |
Partner Docs | |||
Fortanix Fortanix DSM |
Partner Docs | |||
FutureX Vectra Plus |
Partner Docs | |||
Gradiant KeyConnect |
||||
Securosys Primus HSM and Cloud HSM Service |
Partner Docs (Login required) | |||
Thales TCT T-Series Luna |
Partner Docs | |||
Thales Data Protection on Demand |
Partner Docs | |||
Utimaco CryptoServer |
Partner Docs (Login required) |