PreviousNextUp[Front page] [Index]

CA Private Key Options

When creating a certificate in Make New Certificate page, the key generation parameters, (which include the used HSM), can be specified by clicking Set Key Generation Parameters.

To use an existing PKCS #11 key, select Use existing PKCS#11 key for the key provider, and click refresh. Certifier will then show all the detected PKCS #11 keys. You should be able to see the keys created with the key management utilities.

For SSH Tectia Certifier to be able to use your key, you must enter the passphrase to it by clicking CA Passphrase Status in System configuration.

To create a new PKCS #11 key, select Create PKCS#11 key from the drop-down list and click Refresh. SSH Tectia Certifier will then show you all the detected PKCS #11 tokens allowing you to select the token you wish to generate the key with.

Figure : PKCS #11 key setting

You can specify some of the PKCS#11 attributes, though the default attributes are sensitive. In some cases you might want to clear the Exportable flag in order to make it impossible to leak the CA key out programmatically. In some devices, like Eracom, clearing this flag makes it impossible to back up the key using the described procedure. When this flag is set, the access to the CA private key is possible for a person who can run arbitraty commands on the host running the Certifier Engine.

Note, that in most cases the HSM vendor provides the tools which can be used to generate keys and restore them. Some vendors (including Eracom) use proprietary flags, which affect the key backup and restore procedures. In those cases, it is recommended that the keys are generated/backed up and restored using the vendor's own tools. See the vendor's documentation for more information.

PreviousNextUp[Front page] [Index]