Key Generation

Key Pair Generation

PDF During this phase of the Key Generation Ceremony, the necessary number of key pairs is generated, subject to the number of CAs that will be created during the Key Ceremony. All private keys are securely generated and saved in an encrypted format on a cryptographic device, most often a hardware device such as Hardware Cryptographic Module commonly referred to as HSM. Public key request files are also saved into a hard disk drive, CD disc, USB flash drive or a diskette.

At this stage, the key pairs are given a Common Name and as an option, a unique key identifier file is named and saved into a hard disk, USB flash drive or a diskette. These values identify the key and will allow the Key Ceremony Administrator to properly setup the cryptographic tools to access the key at a later stage of the Key Ceremony and in future frequent use if necessary.

In order to generate a key pair on a cryptographic device, a command prompt based
cryptographic device support software in combination with Digi-CA™ Cryptographic Toolkit can be used. Subject to your or your customer preference, or regulatory requirements as well as supported algorithms by the Digi-CA™ PKI System and the cryptographic device in use, the Key Generation Administrator needs to ensure, that he has correctly defined the following values describing the type and the size of each private and public key pair:

          a. Key Generation Algorithm [i.e. RSA]

          b. Key Size provided as an integer number of bits [i.e. 2048]



Ensure, that these values are known to the Key Generation Administrator in advance and that your own or your customer’s company understands their meaning, usage limitations and security risks in respect to the current cryptographic security norms and standards for commercial use.

If you intend to protect a particular key with a set of Key Access Component Cards, ensure all Key Access Component Holders are present at the ceremony, have their cards ready for use and confirm that they remember or have access to the PIN codes necessary to read data on the cards. If an Key Access Component Card Set key protection feature is enabled during this phase, configured number of Card Holders will be requested to insert the card into the smart card reader interface connected directly to the cryptographic device and enter the PIN code they used to protect their cards with. Once the last required card is loaded, the cryptographic device will automatically generate the requested key data based on the specified key type algorithm and bit size and output relevant data such as certificate request containing the associated public key and as an option, a unique key identifier file to an appointed location on a hard drive disk, CD disc, USB Flash Drive or a diskette.

At the end of the key generation process, you need to ensure, that the event is documented in the Key Ceremony Notes Document and, that it clearly displays that keys are not only correctly associated with a specific company, for which the key or keys are generated for but also correctly associated with the CA, for which these were generated for. For example, ACME Certification Authority could be assigned to 2048 bit RSA PrivateKey1, etc.

After the Key Ceremony, the CA Operator uses the .x509 certificate file, generated during the ceremony, to map the private key stored on the cryptographic device to the new CA infrastructure.

The above process for generating keys can be completed using a cryptographic device working in a production environment and it does not disrupt the operations of other CAs maintained in your Digi-CA™ PKI System environment. This also enables the CA Operator to bring new CAs online easily, without taking existing CAs offline.

Using Key Generation Ceremony, a new key pair is generated whenever a new Root or Subordinate CA is created. Typically, firstly a Root CA is created and used to sign any new Level 1 Subordinate CA in the CA hierarchy and so on.