Hardware Central key generation with Venafi Advanced Key Protect

With hardware central key generation, Trust Protection Platform connects directly to the HSM, and instructs the HSM to create the private key. Trust Protection Platform then exports the key where it is stored. Trust Protection Platform uses the key to sign the CSR.

Using an HSM for private key generation for SSH keys and certificates

Once Venafi Advanced Key Protect is enabled on your system, if you want to use an HSM to generate private keys for certificates, you can either configure the Key Generation option at the policy level (on the Certificate tab) in Policy Tree, or you can change the Default Key Generation option on the encryption tree root.

If you want to use the HSM for generating SSH keys and a software driver for certificates, you need to set the Default Key Generation option on the encryption tree root to the HSM in Policy Tree. For certificates, you can override this setting by changing the Key Generation option on the Certificate tab at the policy level. For configuration information, see Configuring the root encryption driver.

Venafi Advanced Key Protect system requirements for supported HSMs

Starting with the specified client versions, the following HSMs are supported for central key generation by Venafi Advanced Key Protect and private key storage for Venafi CodeSign Protect.

IMPORTANT  Venafi claims minimum supported HSM versions and expects the HSM vendors to be fully backwards compatible. If there are issues found, we will actively test against the newer version.

Supported HSM

Encrypt Secrets

Private Key Generation1

Code Signing Certificate Private Key Storage2

Minimum Client Version

Entrust nShield Connect HSM

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported

12.40.2

Thales SafeNet Luna SA

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported
(requires CKE3)

Green check mark, indicates feature is supported

6.2.24

NOTE  Thales SafeNet Luna SA version 6.3 is known to have issues with Trust Protection Platform. We recommend not using version 6.3.

Vendor Self-Certified HSMs

NOTE  The HSM Partners on the list below have gone through the process of self-certification. This process involves testing the specific PKCS#11 mechanisms that Trust Protection Platform uses when an HSM is used to protect things like private keys and credential objects, and when Advanced Key Protect is enabled.

Self- certification means that the partner has done the testing and proven successful results and integration with Venafi. Successful self-certification results indicate that the integration will work as expected. The HSM vendor may need to be engaged if something is working unexpectedly.

HSM

Encrypt Secrets

Private Key Generation5

Code Signing Certificate Private Key Storage6

Firmware Version

Atos Trustway Proteccio Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 1.47
AWS CloudHSM Green check mark, indicates feature is supported   Green check mark, indicates feature is supported 2.4
Crypto4A QxEDGE Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 1
Entrust nShield nShield as a Service Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 12.6
Fortanix Data Security Manager Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 1
FutureX Vectra Plus Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 4.13
Securosys Primus HSM Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 1.7
Thales Data Protection on Demand Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 7.3
Utimaco CryptoServer Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 2.3