Supported methods of key generation
There are a number of ways that keys can be generated for signing CSRs, both in terms of where they are generated (externally or within Trust Protection Platform), and how they are generated (using software or hardware methods).
You can choose whether to generate a private key on Trust Protection Platform, in a remote system, or on an HSM.
IMPORTANT If a certificate is associated with multiple applications, the CSR will always be centrally generated because Trust Protection Platform needs the private key so it can be pushed to all applications. Remote generation is supported only for a 1-to-1 (private key/application) relationship.
Depending on which key generation type you choose, the certificate's private key is stored either in Trust Protection Platform or in the remote system, and the CSR is either generated by Trust Protection Platform or the remote system.
The following chart shows how you can tell which type of key generation you're using, based on who is generating the key, where it is being generated, and how it is being generated.
The following table lists the various types of key generation and gives additional information about each key generation type.
|
Type |
Description |
Key Generation Location |
Private Key Storage Location |
Requires AKP? |
|---|---|---|---|---|
|
User-generated key |
When you create the CSR yourself, the key is not stored in Trust Protection Platform, but it might potentially be stored in the system you used to generate the key. |
Third-party tool |
not stored |
No |
|
Hardware central key generation |
With hardware central key generation, Trust Protection Platform connects directly to the HSM and instructs the HSM to create the private key. Trust Protection Platform then exports the key from where it is stored. Trust Protection Platform uses the key to sign the CSR. |
HSM |
Trust Protection Platform (For code signing, can either be in Trust Protection Platform or the HSM) |
Yes |
|
Software central key generation |
With software central key generation, Trust Protection Platform generates and stores the private key. It then uses the key to sign the CSR. |
Trust Protection Platform |
Trust Protection Platform |
No |
|
Hardware remote key generation |
With hardware remote key generation, Trust Protection Platform connects to the remote HSM, and instructs the remote system (via a supported driver) to generate the private key using hardware generation. It then stores the private key on the HSM, and then creates the signed CSR, which is then exported to Trust Protection Platform. In this case, Trust Protection Platform never sees the private key, just the signed CSR. The key remains in the HSM. |
HSM connected to remote system |
HSM connected to remote system |
Yes |
|
Software remote key generation |
With software remote key generation, Trust Protection Platform connects to the remote system, and instructs the remote system to use software to generate a private key. It then stores the private key on the remote system, and creates the signed CSR, which is then exported to Trust Protection Platform. In this case, Trust Protection Platform never sees the private key, just the signed CSR. The key remains on the remote system. |
Remote system |
Remote system |
No |
To learn about the lifecycle stages of a Trust Protection Platform certificate, see About certificate lifecycle management.
|
Stages |
Remote key generation storage |
Central key generation storage |
|---|---|---|
|
0-400 |
Remote system (called Application in Policy Tree) |
Trust Protection Platform |
|
500-700 |
Certificate Authority |
Certificate Authority |
|
800-1200 |
Remote system (called Application in Policy Tree) |
Application |