Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

CA Private Key Options

When creating a certificate in Make New Certificate page, the key generation parameters, (which include the used HSM), can be specified by clicking Set Key Generation Parameters.

To use an existing PKCS #11 key, select Use existing PKCS#11 key for the key provider, and click refresh. Certifier will then show all the detected PKCS #11 keys. You should be able to see the keys created with the key management utilities.

For SSH Tectia Certifier to be able to use your key, you must enter the passphrase to it by clicking CA Passphrase Status in System configuration.

To create a new PKCS #11 key, select Create PKCS#11 key from the drop-down list and click Refresh. SSH Tectia Certifier will then show you all the detected PKCS #11 tokens allowing you to select the token you wish to generate the key with.

Figure : PKCS #11 key setting

You can specify some of the PKCS#11 attributes, though the default attributes are sensitive. In some cases you might want to clear the Exportable flag in order to make it impossible to leak the CA key out programmatically. In some devices, like Eracom, clearing this flag makes it impossible to back up the key using the described procedure. When this flag is set, the access to the CA private key is possible for a person who can run arbitraty commands on the host running the Certifier Engine.

Note, that in most cases the HSM vendor provides the tools which can be used to generate keys and restore them. Some vendors (including Eracom) use proprietary flags, which affect the key backup and restore procedures. In those cases, it is recommended that the keys are generated/backed up and restored using the vendor's own tools. See the vendor's documentation for more information.

PreviousNextUp[Front page] [Index]




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now