Key Pair Generation
Key Pair Generation and Installation
CA Key Pair Generation
An API based, automated, documented process to generate CA key pairs is executed at the request of the RA.
The CA system will perform the following when generating a CA Key Pair:
Generate the CA Key Pair in a physically secured environment;
Generate the CA Key Pair within hardware cryptographic modules meeting the applicable requirements of §6.2.11;
Log its CA Key Pair generation activities; and
Maintain effective controls to provide reasonable assurance that the Private Key was generated and protected in conformance with the procedures described in this CPS.
Subscriber Key Pair Generation
The Applicant or Subscriber is required to generate or initiate a new, secure, and cryptographically sound Key Pair to be used in association with the Subscriber’s Certificate or Applicant’s Certificate Application.
PKIaaS only generates the subscriber key pairs when the PKCS #12 format is supported by a chosen certificate profile.
Key Delivery to Subscriber
In the case where the Key Pair is generated on behalf of the Subscriber by the CA, the Private Key will be delivered to the Subscriber in a cryptographically secure manner with at least 168-bits encryption strength in a PKCS #12 format.
Public Key Delivery to Certificate Issuer
Subscriber Public Keys are delivered to the CA in a Certificate Signing Request as part of the Certificate Application process.
CA Public Key Delivery to Relying Parties
The CA Public Keys are provided to the Relying Parties by the RA.
Key Sizes
For CA and Subscriber Certificates, the key sizes supported are:
RSA 4096
RSA 3072
RSA 2048
ECDSA P-521
ECDSA P-384
ECDSA P-256
Public Key Parameters Generation and Quality Checking
CA Public Keys are generated and protected on a cryptographic module that is compliant to at least FIPS 140-2 Level 3 certification standards.
Subscriber Public Keys: no stipulation.
Key Usage Purposes
No stipulation