Supported methods of key generation
There are a number of ways that keys can be generated for signing CSRs, both in terms of where they are generated (externally or within Trust Protection Foundation), and how they are generated (using software or hardware methods).
You can choose whether to generate a private key on Trust Protection Foundation, in a remote system, or on an HSM.
IMPORTANT If a certificate is associated with multiple applications, the CSR will always be centrally generated because Trust Protection Foundation needs the private key so it can be pushed to all applications. Remote generation is supported only for a 1-to-1 (private key/application) relationship.
Depending on which key generation type you choose, the certificate's private key is stored either in Trust Protection Foundation or in the remote system, and the CSR is either generated by Trust Protection Foundation or the remote system.
The following chart shows how you can tell which type of key generation you're using, based on who is generating the key, where it is being generated, and how it is being generated.
The following table lists the various types of key generation and gives additional information about each key generation type.
|
Type |
Description |
Key Generation Location |
Private Key Storage Location |
Requires AKP? |
|---|---|---|---|---|
|
User-generated key |
When you create the CSR yourself, the key is not stored in Trust Protection Foundation, but it might potentially be stored in the system you used to generate the key. |
Third-party tool |
not stored |
No |
|
Hardware central key generation |
With hardware central key generation, Trust Protection Foundation connects directly to the HSM and instructs the HSM to create the private key. Trust Protection Foundation then exports the key from where it is stored. Trust Protection Foundation uses the key to sign the CSR. |
HSM |
Trust Protection Foundation (For code signing, can either be in Trust Protection Foundation or the HSM) |
Yes |
|
Software central key generation |
With software central key generation, Trust Protection Foundation generates and stores the private key. It then uses the key to sign the CSR. |
Trust Protection Foundation |
Trust Protection Foundation |
No |
|
Hardware remote key generation |
With hardware remote key generation, Trust Protection Foundation connects to the remote HSM, and instructs the remote system (via a supported driver) to generate the private key using hardware generation. It then stores the private key on the HSM, and then creates the signed CSR, which is then exported to Trust Protection Foundation. In this case, Trust Protection Foundation never sees the private key, just the signed CSR. The key remains in the HSM. |
HSM connected to remote system |
HSM connected to remote system |
Yes |
|
Software remote key generation |
With software remote key generation, Trust Protection Foundation connects to the remote system, and instructs the remote system to use software to generate a private key. It then stores the private key on the remote system, and creates the signed CSR, which is then exported to Trust Protection Foundation. In this case, Trust Protection Foundation never sees the private key, just the signed CSR. The key remains on the remote system. |
Remote system |
Remote system |
No |
To learn about the lifecycle stages of a Trust Protection Foundation certificate, see About certificate lifecycle management.
|
Stages |
Remote key generation storage |
Central key generation storage |
|---|---|---|
|
0-400 |
Remote system (called Application in Policy Tree) |
Trust Protection Foundation |
|
500-700 |
Certificate Authority |
Certificate Authority |
|
800-1200 |
Remote system (called Application in Policy Tree) |
Application |