Key Templates

The Key Templates sub-module is used to define the attributes of keys generated in HSM devices. Each HSM vendor requires its own set of attributes to generate different types of keys. In this module we can define key templates with respect to different vendors and then link these templates to a specific crypto profile, hence while generating keys in that particular crypto profile, the relevant key template can be used to set the key attributes.

The following screen shows some of the default key templates and their respective types:

A new template can be created by clicking the + icon. Edit/View/Delete option can be found under vertical ellipses .

New Key Template

In order to create a new key template, click ‘+’ button, it will display the following screen:

Key Template Identification

The above screen shows the basic information about the key template. Fill in the required information and click on the Next arrow (>), it will lead you to RSA Key Attributes screen.

RSA Key Attributes

The above screen shows the Private, Public and Extractable RSA Key Attributes that can be configured in ADSS Server. Fill in the required information and click on the Next arrow (>), it will lead you to ECDSA Key Attributes screen.

ECDSA Key Attributes

The above screen shows the Private, Public and Extractable ECDSA Key Attributes that can be configured in ADSS Server. Fill in the required information and click on the Next arrow (>), it will lead you to Secret Key Attributes screen.

Secret Key Attributes

The above screen shows the HMAC and Key Encryption Key (KEK) Secret Key Attributes that can be configured in ADSS Server. Fill in the required information and click on the SAVE button, it will save the required information and the required new Key Template will be created.

The following is a description of the above key template attributes:

Items

Description

Template Type

It contains a list of crypto source vendors supported by ADSS Server for which the required key template will be created.

Template ID

An user-defined unique Template ID for easier human recognition within the ADSS user Console. Once a Template ID is created, it cannot be changed.

Template Description

This can be used to describe the Template in more detail. This is for information purposes only.

RSA Key Attributes

Defines the attributes of RSA keys generated in HSM. It contains the following attribute types:

Private Key Attributes

These attributes holds the RSA private object and define the set of attributes to be associated with RSA private key. The type of key attribute that can be configured for private key includes: Private, Extractable, Sign, Sensitive, Decrypt, Modifiable, Token and Unwrap.

Public Key Attributes

These attributes holds the RSA public object and define the set of attributes to be associated with RSA public key. The type of key attribute that can be configured for public key includes: Private, Encrypt, Verify, Modifiable, Wrap and Token.

Extractable Key Attributes

These attributes are defined when key wrapping is enabled for static and dynamic KEK generation. The type of key attribute that can be configured for extractable key includes: Extractable, Sensitive, Wrap, Unwrap and Token.

The list of key attributes available on the console depends upon the crypto source profile selected in the Template Type drop-down.

ECDSA Key Attributes

Defines the attributes of ECDSA keys generated in HSM. It contains the following attribute types:

Private Key Attributes

These attributes hold the ECDSA private object and define the set of attributes to be associated with RSA private key. The type of key attribute that can be configured for ECDSA private key includes: Private, Extractable, Sign, Sensitive, Decrypt and Token.

Public Key Attributes

These attribute holds the ECDSA public object and define the set of attributes to be associated with RSA public key. The type of key attribute that can be configured for ECDSA public key includes: Private, Encrypt, Verify and Token.

Extractable Key Attributes

These attributes are used and defined when key wrapping is enabled for static and dynamic KEK generation. The type of key attribute that can be configured for extractable key includes: Extractable, Sensitive, Wrap, Unwrap and Token.

Extractable Key Attributes will not be available in case of Utimaco CryptoServer CP5 and Thales Luna K7 (EN 419221-5).

Secret Key Attributes

Defines the attributes of secret keys generated in HSM. It contains the following attribute types:

HMAC Key Attributes

It defines the attributes of HMAC key when generated in HSM. The type of key attribute that can be configured for HMAC key includes: Encrypt, Sign, Verify, Decrypt, Wrap, Unwrap, Token and Sensitive.

Key Encryption Key Attributes (KEK)

It defines the attributes of KEK when generated in HSM. The type of key attribute that can be configured for KEK includes: Private, Encrypt, Sign, Verify, Decrypt, Wrap, Unwrap, Token and Sensitive.

Search Key Template

Clicking on the Advance Search icon will display the following screen:

As mentioned in the screen above, a Key Template can be searched based upon Template Type and Template ID. The Template Type drop-down includes the default crypto source vendors like Utimaco, Thales Safenet, nCipher nShield, Utimaco CP5 CC EAL4+ EN419221-5, Thales Luna K7 (CC EAL4+ EN 419221-5), nCipher nShield Solo X (CC EAL4+ EN 419122-5) and other crypto source vendors. The user can search the required Key Template based on desired configurations.