- This line was added.
- This line was removed.
- Formatting was changed.
This article describes the process of how to use a secure key injection protocol (SKIP) for constrained devices in in Smart ID Certificate Manager (CM). Such a device is only required to generate an initial factory key pair and the rest of the required key pairs are generated and provided by Certificate Manager.
The protocol consists of a single request and response exchange.
- The request contains a single PKCS#10 encoded certificate signing request with the initial factory public key.
- The response contains a CMS SignedData type with the generated key pairs and issued certificates.
Security services in the secure key injection protocol
The secure key injection protocol provides the following security services:
The initial factory key pair and the ephemeral key pair must support both key agreement and digital signature. They must also be generated from the same domain parameters.
Supported EC curves for factory and ephemeral key pairs
Supported EC curves for generated device key pairs
Key agreement algorithm
Private key encryption algorithm
Secure key package encoding
The generated and encrypted device private keys are encoded and signed as a CMS SignedData type.
The content is an ASN.1 encoded list of the generated device key pairs,
The key pairs are generated so that the private keys cannot be exported in clear text from the HSM.
This article is valid for CM 8.3 and later.