See below for the practice statements on key pair generation.
CA Key Pair Generation
At the RA request, an API-based, automated, documented process to generate CA key pairs is executed.
The CA system will perform the following when generating a CA Key Pair:
- Generate the CA Key Pair in a physically secured environment;
- Generate the CA Key Pair within hardware cryptographic modules meeting the applicable requirements of §6.2.11;
- Log its CA Key Pair generation activities; and
- Maintain adequate controls to provide reasonable assurance that the Private Key was generated and protected in conformance with the procedures described in this CPS.
Subscriber Key Pair Generation
The Applicant or Subscriber must generate or initiate a new, secure, and cryptographically sound Key Pair to be used with the Subscriber’s Certificate or Applicant’s Certificate Application.
PKIaaS only generates the subscriber key pairs when a chosen certificate profile supports the PKCS #12 format.
Key Delivery to Subscriber
In the case where the CA generates the Key Pair on behalf of the Subscriber, the Private Key will be delivered to the Subscriber in a cryptographically secure manner with at least 168-bit encryption strength in a PKCS #12 format.
Public Key Delivery to Certificate Issuer
Subscriber Public Keys are delivered to the CA in a Certificate Signing Request as part of the Certificate Application process.
CA Public Key Delivery to Relying Parties
The CA Public Keys are provided to the Relying Parties by the RA.
Key Sizes
For CA and Subscriber Certificates, the key sizes supported are:
- RSA 4096
- RSA 3072
- RSA 2048
- ECDSA P-521
- ECDSA P-384
- ECDSA P-256
Public Key Parameters Generation and Quality Checking
CA Public Keys are generated and protected on a cryptographic module compliant with at least FIPS 140-2 Level 3 certification standards.
Subscriber Public Keys: no stipulation.
Key Usage Purposes
No stipulation