--- title: "LMS Keys - FAQs" slug: "lms-keys-faqs" updated: 2025-03-12T07:54:57Z published: 2025-03-12T07:54:57Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # LMS Keys - FAQs ## 1.0 Frequently Asked Questions --- ### ****What are Fortanix's limitations on LMS Key tree size?**** Fortanix LMS implementation is a two-level Hierarchical Signature System (HSS) whose heights are a list of heights [`h₁`, `h₂`] respectively. Where `h₁` is the height of the top-level tree and `h₂` is the height of the secondary-level tree. The sum of the `h₁` tree height and `h₂` tree height must not exceed `25`. For example, two trees with heights `h₁ + h₂ <= 25`. Where `h₁` and `h₂` are multiple of `5`. ****How many signatures can an LMS key perform for the lifetime of the key?**** The "key capacity" is the number of signatures that an LMS key can perform for its lifetime. It is equal to `2 ^ (h₁ + h₂)`. For example, a (5,5) key or tree can produce 1024 signatures. ****What does an LMS signature look like? How would it be verified by an external library?**** *See*[*RFC8554 - Section 6.2*](https://datatracker.ietf.org/doc/html/rfc8554#section-6.2)*and*[*RFC8708 - Section 2.2*](https://www.rfc-editor.org/rfc/rfc8708.html#name-leighton-micali-signature-l). > [!NOTE] > NOTE > > Since there are two trees (`h₁` and `h₂`), there is only one signed public key. Fortanix also includes the public key. One LMS signature that is needed to define HSS on the next layer is serialized into `1132 + 32 × h` bytes. ****Is there a way to check the number of signing for LMS keys?**** Users need to keep track of the number of signatures that are produced. ****What RSC are we using for LMS-based certificates?**** Fortanix does not format LMS keys in certificates. ****Can the Fortanix PKCS#11 library handle verification for signing for external apps?**** PKCS#11 will verify any valid signature within the available [PKCS#11 supported mechanisms](/v1/docs/pkcs11-supported-functions-and-mechanisms#mechanisms-supported) as long as the input signature is in a format that PKCS#11 understands. LMS is not supported in PKCS#11. ****What are Fortanix’s stance and best practices for CSR generations?**** Some best practices are: - Add the CA key inside Fortanix DSM and adequately verify the CSR for authentication before signing. #### Do the number of signings start over with an LMS key if the key is rotated? Yes. It starts over. ## Related - [Add/Update Cryptographic Policy](/addupdate-cryptographic-policy.md) - [What is cluster attestation and why should I use it? (on-prem only)](/what-is-cluster-attestation-and-why-should-i-use-it-on-prem-only.md) - [FAQs - Fortanix Data Security Manager UI](/faqs-fortanix-data-security-manager-ui.md)