Enabling remote key generation for CAPI certificates

If you have Venafi Advanced Key Protect enabled, you can enable specific installations to use remote key generation.

Configuring remote key generation for CAPI

  1. In TLS Protect, locate a certificate with installations of type CAPI.

    1. Open the Certificate Inventory.
    2. Use the Installation Type filter to limit installations to CAPI.
  2. In the Installations column, click the arrow to see the installations associated with a certificate.
  3. In the Installation Type column, look for installations of type CAPI, and then click Installation Type.
  4. Click Edit.

  5. Scroll to the Hardware Security Module Settings section.

    These settings are only available if you have Venafi Advanced Key Protect enabled. For more information, see Enabling Venafi Advanced Key Protect.

  6. In the Private Key Location field, choose hardware remote key generation or software remote key generation. For more information, see Supported methods of key generation.

    • Device. This option is software remote key generation on the external device.

    • Thales SafeNet HSM. This option is hardware remote key generation on the Thales SafeNet Luna SA HSM. You will be required to fill out the following fields:

      • Key Label. Type the label that you want used for keys created by the CAPI driver in your HSM.

        This option makes it easier for you to identify which certificates correspond to the newly generated keys. If you leave this field empty, Windows automatically generates a unique name whenever a new key pair is created. Alternatively, you could choose to change the key label manually before renewing the certificate.

        DID YOU KNOW?  Trust Protection Platform uses the label you specify each time that it provisions the certificate. Because Microsoft Windows allows only one instance of a particular key label, you must set Reuse Private Key for Service Generated CSRs to Yes on the certificate's policy, which prevents a possible error the first time the certificate is renewed. For more information, see Reuse Private Key for Service Generated CSRs and Setting policy on a folder.

    • Entrust nShield Connect HSM (RSA keys only). This option is hardware remote key generation on the Entrust nShield Entrust nShield Connect HSM. If you choose Entrust nShield Connect HSM, no additional configuration information is required.

  7. Click Save.
  8. (Optional) If you are using a SafeNet HSM that runs in strict FIPS 140-2 Level 3 mode, configure it with RSAKeyGenMechRemap=1. For more information, see SafeNet documentation.

TIP  You can control the remote generation settings via policy by launching Policy Tree, selecting a policy, and opening Applications CAPI > Remote Generation Settings.