Generate a hardware-based private key (TAP)
Important
TrustEdge CLI certificate command can be built for one and only one of the following: TPM2 (default build of TrustEdge), PKCS11 (which can handle multiple PKCS11 providers simultaneously), or TAP REMOTE.
By using the --tap
option with the trustedge certificate
command, you can generate hardware-based private keys using a Trusted Application Platform (TAP). These keys are securely stored in a hardware module, such as a TPM, and are never exposed in software. The below steps will guide you through generating an RSA or ECC private key using a TAP. See TAP/SMP ASN.1 key format for more details.
Note
TAP-based keys are not available for DSA or QS. For HYBRID keys, only the ECC portion can be TAP-based.
Step 1: Choose the algorithm and key parameters
For RSA keys, specify the key size with
--size <size>
and include the--tap
option.trustedge certificate --algorithm RSA --size 2048 --tap --output-file RSA_TAP_2048.pem
For ECC keys, specify the curve type with
--curve <curve>
and include the--tap
option.trustedge certificate --algorithm ECC --curve P256 --tap --output-file ECC_TAP_P256.pem
Step 2: Configure optional TAP parameters
You can further customize the TAP key generation by specifying additional TAP-related options, such as key usage or signature schemes.
For RSA keys with specific TAP key usage:
trustedge certificate --algorithm RSA --size 2048 --tap --tap-key-usage TAP_KEY_USAGE_SIGNING --output-file RSA_TAP_SIGN_2048.pem
For ECC keys with a specific TAP signature scheme:
trustedge certificate --algorithm ECC --curve P256 --tap --tap-sig-scheme TAP_SIG_SCHEME_ECDSA_SHA256 --output-file ECC_TAP_SIGN_P256.pem
Tip
To enhance the security of your private key, you can protect it with a password by including the --protect
option with any of the commands above. After running the command, you will be prompted to enter a password to protect the private key.
Step 3: Verify the key creation
After generating the key, verify that the file was created correctly by listing the contents of the directory:
ls -l /etc/digicert/keystore/keys/
This command will display the files in the keystore/keys/
directory, including the newly created TAP-protected private key.
TAP/SMP ASN.1 key format
This section describes the ASN.1 module for TAP keys. The PrivateKeyInfo structure is defined in PKCS #8 and includes an algorithm identifier and the private key data, which is wrapped in an OCTET STRING.
These are the Object Identifiers (OIDs) used to build the OIDs in this document:
Note
mocana is 1.3.6.1.4.1.14421
mocana OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) mocana (14421) mocana-tap OBJECT IDENTIFIER ::= { mocana 19 }
When the following OIDs are used in an AlgorithmIdentifier, the parameters MUST be present and MUST be NULL:
mocana-tap-rsakey OBJECT IDENTIFIER ::= { mocana-tap 0x01 } mocana-tap-ecckey OBJECT IDENTIFIER ::= { mocana-tap 0x02 } mocana-tap-dsakey OBJECT IDENTIFIER ::= { mocana-tap 0x03 } mocana-tap-rsaProtectedkey OBJECT IDENTIFIER ::= { mocana-tap 0x21 } mocana-tap-eccProtectedkey OBJECT IDENTIFIER ::= { mocana-tap 0x22 } mocana-tap-dsaProtectedkey OBJECT IDENTIFIER ::= { mocana-tap 0x23 }
Example definitions:
For RSA keys, the PrivateKey will be an OCTET STRING wrapping data encoded as follows:
MocanaTapRSAPrivateKey ::= SEQUENCE { version Version, moduleId ModuleId, modulus INTEGER, publicExponent INTEGER, tapPrivateKey TapPrivateKey }
For ECC keys, the PrivateKey will be an OCTET STRING wrapping data encoded as follows (ECParameters and ECPoint are defined in other standards, such as RFC 5480):
MocanaTapECCPrivateKey ::= SEQUENCE { version Version, moduleId ModuleId, parameters ECParameters, publicKey ECPoint, tapPrivateKey TapPrivateKey }
For DSA keys, the PrivateKey will be an OCTET STRING wrapping data encoded as follows (Dss-Parms and DSAPublicKey are defined in other standards, such as RFC 3279):
MocanaTapDSAPrivateKey ::= SEQUENCE { version Version, moduleId ModuleId, parameters Dss-Parms, publicKey DSAPublicKey, tapPrivateKey TapPrivateKey } Version ::= INTEGER { v1(0) } (v1, ...) ModuleId ::= INTEGER { tpm-1-2(1), tpm-2-0(2) } (tpm-1-2, tpm-2-0, ...) TapPrivateKey ::= OCTET STRING