Cryptographic Module Standards and Control
CA Private Keys must be used and unlocked on cryptographic modules that meet or exceed the requirements as defined in §6.2.11. The cryptographic modules are held in secure facilities.
CA Private Key Multi-Person Control
A minimum of two-person control will be established on the activation of any CA Private Key, and may be implemented as a combination of technical and procedural controls. Persons involved in management and use of the CA Private Keys shall be Trusted Roles.
Private Key Escrow
CA Private Keys are not escrowed.
Private Key Backup
All copies of the CA's Private Key shall be protected in the same manner as the original.
Private Key Archival
CA Private Keys are not archived.
Private Key Transfer into or from Cryptographic Module
CA Private Keys shall be generated by and secured in a cryptographic module. Private Keys are backed up and restored to multiple HSMs to provide high availability and disaster recovery, while remaining secured within the boundary of the cryptographic module.
Private Key Storage on Cryptographic Module
CA Private Keys are stored and secured on a cryptographic module as defined in §6.2.11.
Method of Activating Private Keys
CA Private Keys are activated upon generation and available for automated signing of revocation data and RA-initiated certificate signing.
Private Key Deactivation Methods
CA Private Keys will be deactivated upon termination of service.
Private Signature Key Destruction Method
No stipulation.
Cryptographic Module Rating
CA Key Pairs are generated and protected on a cryptographic module that is compliant to at least FIPS 140-2 Level 3 certification standards.