Hardware remote key generation with Advanced Key Protect

With hardware remote key generation, Trust Protection Foundation connects to the remote HSM, and instructs the remote system (via a supported driver) to generate the private key using hardware generation. It then stores the private key on the HSM, and creates the signed CSR, which is then exported to Trust Protection Foundation. In this case, Trust Protection Foundation never sees the private key, just the signed CSR. The key remains in the HSM.

The supported drivers are:

• Apache. For more information on configuring Apache certificates, see Enabling remote key generation for Apache certificates.
• CAPI. For more information on configuring CAPI certificates, see Enabling remote key generation for CAPI certificates.
• JKS For more information on configuring JKS certificates, see Enabling remote key generation for JKS certificates.
• F5 LTM Advanced For more information on configuring F5 certificates, see Configuring an F5 LTM Advanced application object.

Hardware remote key generation is the most secure method of generating private keys and CSRs because the data stays remotely in the HSM.