Info: How does Certificate Manager generate ,store, and deliver its keys?

Applies to:  

All versions


How does Certificate Manager generate, store and deliver it's keys.  This article attempts to explain the talking points we can use to convince customers to move their private key manufacturing to our Certificate Manager server.

  1. Key Generation

  • The keys are generated using the Microsoft .Net Cryptography Library.  Specifically a new RSACryptoServiceProvider is created which in turn generates a new private key.  (More information about the RSACryptoServiceProvider can be found herehttp://msdn.microsoft.com/en-us/library/s575f7e2)
  1. Key Storage

  • The private keys are then encrypted and stored in SecretStore.  Information about what keys are used to do the encryption can be found in the following locations:
  • Managing which encryption keys are used to secure which types of encryption assets
  • Managing the default DPAPI encryption key.
  • DPAPI Key information. 
    • Director maintains all system information—that is, configuration settings, managed server and certificate information, archived certificates, and private keys—in a database. To secure this information, Director uses an AES-256 encryption key, the DPAPI key, to encrypt the connection to the database—and, depending on the Encryption Key selected in the object configuration, the objects themselves may be encrypted using the DPAPI key. 
    • The DPAPI key is securely stored in the Windows registry.  The attached document describes how the DPAPI is protected by the OS. 
  • The delivery of keys is application specific, most applications can have the key delivered in multiple formats.  The delivery mechanism can be anything from a PFX to an unencrypted PEM formatted Private Key. 

Encryption of Data at Rest - DPAPI Overview v1.0.docx


Please sign in to leave a comment.