I’m trying to figure out how to generate private key for the Root CA according the principles of WebTrust.
One additional requirement I have that the generate private key should be then imported to any HSM, independent of the vendor.
I have never done any WebTrust audit, so I am not able to figure out if something like that will break any principle or requirement. The following high level procedure can from my point of view ensure secure backup of private keys that can be imported to any HSM (the assumption is that all HW is certified according FIPS 140-2 Level 3 or similar):
- Generate strong symmetric key (e.g. AES-256) inside HSM with certified RNG
- Provide clear-text of at least 2 components of AES-256 key to key custodians, they will record it (or securely print it to security envelopes)
- Check the integrity of the components using KCV to be sure that it was recorded correctly
- Store the clear-text key components in secure envelopes inside safe, each separately
- Generate 4096 RSA private key inside the same HSM
- Export private key using AES key in a PKCS#8 format to file
- Create HMAC of generated file in order to record and verify later integrity of exported RSA key using the same AES key
- Delete RSA na AES key from HSM
The key generation procedure is supervised and the output is RSA key in PKCS#8 encrypted by AES key which is securely stored in clear-text components in safes (or it can be achieved the same using smart cards, PIN protected).
Then when I would like to import it into HSM, I should follow the supervised procedure on importing AES-256 key, and then importing RSA key which would not be exportable anymore, and delete the AES wrapping key.
The security of all keys should be ensured. Do you see any weak points, what would not be considered secure mainly form the WebTrust point of view?