Key Access Component Holders

• [1] Upon directing the Cryptographic Operation Control Software to sign the new Subordinate CA Certificate, the private key of the Root CA will need to be loaded to the HSM securely protected operational memory.
Since the private key of the Root CA we are about to use is encrypted and access protected, the Key Ceremony Administrator will require any 3 (three) Key Access Component Holders from the previously created Key Access Component Card Set, to separately follow the steps below:


a. Access their PIN envelope, that were previously placed on the Inventory Table

b. Re-read and memorize their PIN codes, that were previously written on their PIN Code paper sheet

c. Confirm to memorize their PIN code

d. Place their PIN Code paper sheet back into their envelope and place the envelope not sealed back on the Inventory Table

e. Take their smart card from the Inventory Table and when requested by the Key Generation Ceremony Administrator, walk towards the HSM device

f. When requested by the Key Generation Ceremony Administrator, insert their smart card into the smart card reader interface of the HSM device and when requested by the Key Generation Ceremony Administrator, enter their memorized PIN Code.

g. When requested by the Key Generation Ceremony Administrator, remove the smart card from the HSM smart card reader interface and place their smart card back on the Inventory Table on top of their PIN envelope.



The above sequence of steps will be repeated for the number of Key Access Component Holders, that are selected by the Key Ceremony Administrator.

All attending Witnesses must ensure, that each Key Access Component Holder accesses only their own Key Access Component Card and PIN envelope. They must also ensure, that all PIN Code paper sheets remain in envelopes, which are not sealed, and that relevant Key Access Component Cards reside on the top of each envelope on the Inventory Table at the end of this step. Furthermore, all Witnesses must ensure, that the correct Root CA private key is used during this step. This can be achieved by crosschecking whether the private key identifier file name along with the file system path, are both entered correctly by the Key Ceremony Administrator in the command prompt. These must match the Root CA private key details stored in the Key Map Document. The correct Root CA private key should be used hence the crosscheck.




• 5. The previous step left the Root CA private key used to sign the newly created Subordinate CA Certificate offline.

It also permanently associated an existing private key, that was generated earlier during this ceremony with the new Subordinate CA we created.



• 6. The Subordinate CA Signing is now declared complete.




Controls

During the Signing Event, at least two people from the Key Ceremony Attendees list of personnel were present at all times. No other personnel were permitted access to the room. The Cryptographic Operation Control Software required a PIN code to be entered before the software could communicate with any smart card (holding encryption key component [Key Access Component Card]) used during the Signing Event.