Configuring HSM-based remote key generation
When planning to set up HSM-based remote key generation, review the following important configuration steps:
-
You must enable Venafi Advanced Key Protect, an optional feature in the Venafi Configuration Console.
For more information, see Venafi Advanced Key Protect.
-
On the certificate being provisioned, enable remote key generation by setting Generate Key/CSR on Application to Yes.
IMPORTANT When one or more of the following items are true, Remote Generation is not supported and, therefore, the Generate Key/CSR on Application setting is ignored.
-
You're using a driver that does not support remote generation.
To learn which drivers support remote generation, see Supported integrations: devices, applications, services and features supported by Venafi.
-
You're using a self-signed CA template to enroll a certificate; self-signed CA templates do not work with remote generation.
This is because Trust Protection Platform requires that the private key be stored centrally so that it can be used to sign the self-signed certificate.
- Your certificate is associated with more than one application; to work correctly, the certificate must be associated with one application.
- You have not set the certificate's management type setting to Provisioning.
-
-
(Recommended) Apply the Reuse Private Key for Service Generated CSRs policy to the folder containing the certificate by setting it to Yes.
BEST PRACTICE Although it is generally a best practice to generate a new key pair with every certificate renewal, the strong key protection of the HSM makes key re-usage acceptable. It prevents multiple generations of keys from accumulating in the HSM over time since deletion of a certificate from the device generally does not also remove keys from the HSM.
-
(Conditional) To complete the configuration, refer to the related topic and to the associated vendor documentation for configuration details specific to the driver you're using:
-
Apache:
- If you want to use Aperture to create an installation or a group of Apache installation applications that share the same certificate, see Creating an Apache Installation.
- Creating an Apache application object
-
Vendor documentation:
-
CAPI:
-
JKS:
- Creating a JKS application object
-
Vendor documentation:
Oracle WebLogic Server Integration Guide (007-012420-001, Rev M [May 2018])
See Entrust nShield e-Security Integration Guide for Oracle WebLogic Server for UNIX, and Entrust nShield e-Security Cryptographic API Integration Guide.
-