Enabling remote key generation for JKS certificates

If you have Venafi Advanced Key Protect enabled, you can enable specific installations to use remote key generation.

Configuring remote key generation for JKS

  1. In TLS Protect, locate a certificate with installations of type JKS.

    1. Open the Certificate Inventory.
    2. Use the Installation Type filter to limit installations to JKS.
  2. In the Installations column, click the arrow to see the installations associated with a certificate.
  3. In the Installation Type column, look for installations of type JKS, and then click Installation Type.
  4. Click Edit.

  5. Scroll to the Hardware Security Module Settings section.

    These settings are only available if you have Venafi Advanced Key Protect enabled. For more information, see Enabling Venafi Advanced Key Protect.

  6. In the Private Key Location field, choose hardware remote key generation or software remote key generation. For more information, see Supported methods of key generation.

    • Device. This option is software remote key generation on the external device.

    • Thales SafeNet HSM. This option is hardware remote key generation on the Thales SafeNet Luna SA HSM. You will be required to fill out the following fields:

      • Slot Number. Type the HSM slot number used by your JKS.

    • Entrust nShield Connect HSM (RSA keys only). This option is hardware remote key generation on the Entrust nShield Entrust nShield Connect HSM. If you choose Entrust nShield Connect HSM, you must fill out the following fields:

      • Java Vendor. Select the vendor of the JDK you have installed on the device (either Oracle or IBM)

      • Protection Type. Depending on the option you select, you might also have to specify an Identifier for the protection type selected.

        • Module. This is the lowest protection level. It requires that your device has been properly configured to use the HSM for key generation.

        • Softcard. This is the next highest level of protection. This is a kind of password that is stored on your HSM. If you selected Softcard as the Protection Type, then in the Softcard Identifier field, enter your softcard's 40-character hash.

          This option requires that the device is properly configured to use the HSM for key generation and that a softcard has been previously generated using the HSM, and that the requester knows the passphrase for that softcard.

          NOTE   If you set Reuse Private Key for Service Generated CSRs to Yes on a certificate's policy, the protection type is ignored because it cannot be changed for an existing private key. If you need to change the protection type, you must set Reuse Private Key for Service Generated CSRs to No.

          For more information, see Setting policy on a folder.

  7. Click Save.
  8. (Optional) If you are using a SafeNet HSM that runs in strict FIPS 140-2 Level 3 mode, configure it with RSAKeyGenMechRemap=1. For more information, see SafeNet documentation.

TIP  You can control the remote generation settings via policy by launching Policy Tree, selecting a policy, and opening Applications JKS > Remote Generation Settings.