Hardware remote key generation with Venafi Advanced Key Protect

With hardware remote key generation, Trust Protection Platform connects to the remote HSM, and instructs the remote system (via a supported driver) to generate the private key using hardware generation. It then stores the private key on the HSM, and creates the signed CSR, which is then exported to Trust Protection Platform. In this case, Trust Protection Platform never sees the private key, just the signed CSR. The key remains in the HSM.

The supported drivers are:

• Apache. For more information on configuring Apache certificates, see Enabling remote key generation for Apache certificates.
• CAPI. For more information on configuring CAPI certificates, see Enabling remote key generation for CAPI certificates.
• JKS For more information on configuring JKS certificates, see Enabling remote key generation for JKS certificates.

Hardware remote key generation is the most secure method of generating private keys and CSRs because the data stays remotely in the HSM.