Key Pair Generation and Installation

CA Key Pair Generation

An API based, automated, documented process to generate CA key pairs is executed at the request of the RA.

The CA system will perform the following when generating a CA Key Pair:

  1. Generate the CA Key Pair in a physically secured environment;
  2. Generate the CA Key Pair within hardware cryptographic modules meeting the applicable requirements of §6.2.11;
  3. Log its CA Key Pair generation activities; and
  4. Maintain effective controls to provide reasonable assurance that the Private Key was generated and protected in conformance with the procedures described in this CPS.

Subscriber Key Pair Generation

The Applicant or Subscriber is required to generate or initiate a new, secure, and cryptographically sound Key Pair to be used in association with the Subscriber’s Certificate or Applicant’s Certificate Application.   

PKIaaS only generates the subscriber key pairs when the PKCS #12 format is supported by a chosen certificate profile.

Key Delivery to Subscriber

In the case where the Key Pair is generated on behalf of the Subscriber by the CA, the Private Key will be delivered to the Subscriber in a cryptographically secure manner with at least 168-bits encryption strength in a PKCS #12 format. 

Public Key Delivery to Certificate Issuer

Subscriber Public Keys are delivered to the CA in a Certificate Signing Request as part of the Certificate Application process.

CA Public Key Delivery to Relying Parties

The CA Public Keys are provided to the Relying Parties by the RA.

Key Sizes

For CA and Subscriber Certificates, the key sizes supported are:

  • RSA 4096
  • RSA 3072
  • RSA 2048
  • ECDSA P-521
  • ECDSA P-384
  • ECDSA P-256

Public Key Parameters Generation and Quality Checking

CA Public Keys are generated and protected on a cryptographic module that is compliant to at least FIPS 140-2 Level 3 certification standards.

Subscriber Public Keys: no stipulation.

Key Usage Purposes

No stipulation