Using Fortanix DSM for Issuing Key Attestation Statements

1.0 Introduction

This article describes the steps to get key attestation statements that attest that a Security-object was generated in Fortanix-Data-Security-Manager (DSM) and is not exportable. This attestation helps users prove to a Certificate Authority (CA) that the key underpinning a Certificate Signing Request (CSR) was generated by Fortanix DSM and is non-exportable. The attestation is in the form of X.509 certificates within the Fortanix attestation and provisioning Public Key Infrastructure (PKI) hierarchy.

2.0 Issuing Key Attestation Statements in Fortanix DSM

The Fortanix DSM Cluster Key Attestation Authority issues the Key Attestation Statements for keys residing on a DSM SaaS cluster.

The issued Key Attestation Statements would contain claims about the target key. The claims can be divided into two groups:

Claims about the key at generation time, for example: generated in this DSM SaaS cluster, generated as non-exportable, and so on.
Claims about the current state of the key, for example: the current set of key permissions.

2.1 Key Attestation Certificate APIs

The following API endpoint is used for requesting a Key Attestation Statement. For more details, refer to Fortanix Open API documentation.

KeyAttestation: [API] - POST /crypto/v1/keys/key_attestation
The API performs the following operations:
- Checks if the Fortanix DSM SaaS cluster is capable of issuing key attestation statements.
- Checks if the target security object is suitable for key attestation.
- If there is an existing suitable key attestation statement, it is returned, otherwise, a new certificate is issued and stored for future use.

Session Type: SessionAuth<(App, UserInAccount)>
Method: POST
Request Body:

{
    "key": {
        "kid": ""
    }
}

Output JSON:

{
    "authority_chain": [
        "MIIFZzCCA0+ ...="
    ],
    "attestation_statement": {
        "format": "x509_certificate",
        "statement": "MIIC+TCCAB...”
    }
}

2.2 Key Attestation Using Fortanix SDKMS-CLI Python Tool

The following commands can be used to perform key attestation using the sdkms-cli Python tool:

Using Key UUID:

./sdkms-cli key-attestation --kid <key_id>

Using Key Name:

./sdkms-cli key-attestation --name S

Using Fortanix DSM for Issuing Key Attestation Statements

1.0 Introduction

2.0 Issuing Key Attestation Statements in Fortanix DSM

2.1 Key Attestation Certificate APIs

2.2 Key Attestation Using Fortanix SDKMS-CLI Python Tool

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6