--- title: "Fortanix DSM for Issuing Key Attestation Statements" slug: "using-fortanix-dsm-for-issuing-key-attestation-statements" updated: 2026-04-01T08:46:14Z published: 2026-03-19T09:43:47Z canonical: "support.fortanix.com/using-fortanix-dsm-for-issuing-key-attestation-statements" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Fortanix DSM for Issuing Key Attestation Statements ## 1.0 Introduction This article describes the steps to get key attestation statements that attest that a Security-object was generated in **Fortanix-Data-Security-Manager (DSM)** and is not exportable**.** This attestation helps users prove to a Certificate Authority (CA) that the key underpinning a Certificate Signing Request (CSR) was generated by Fortanix DSM and is non-exportable. The attestation is in the form of X.509 certificates within the Fortanix attestation and provisioning Public Key Infrastructure (PKI) hierarchy. ## 2.0 Issuing Key Attestation Statements in Fortanix DSM The **Fortanix DSM Cluster Key Attestation Authority** issues the **Key Attestation Statements** for keys residing on a Fortanix DSM SaaS cluster. The issued **Key Attestation Statements** would contain claims about the target key. The claims can be divided into two groups: - Claims about the key at generation time, for example, generated in this Fortanix DSM SaaS cluster, generated as non-exportable, and so on. - Claims about the current state of the key, for example, the current set of key permissions. ### 2.1 Key Attestation Certificate APIs The following API endpoint is used for requesting a **Key Attestation Statement**. *For more information, refer to the Fortanix Open API documentation.* `KeyAttestation`: [API] - `POST /crypto/v1/keys/key_attestation` The API performs the following operations: - Checks if the Fortanix DSM SaaS cluster is capable of issuing key attestation statements. - Checks if the target security object is suitable for key attestation. - If there is an existing suitable key attestation statement, it is returned, otherwise, a new certificate is issued and stored for future use. **Session Type**: `SessionAuth<(App, UserInAccount)>` **Method**: POST **Request Body**: ```bash {    "key": {        "kid": ""    } } ``` **Output JSON**: ```bash {    "authority_chain": [        "MIIFZzCCA0+ ...="    ],    "attestation_statement": {        "format": "x509_certificate",        "statement": "MIIC+TCCAB...”    } } ``` ### 2.2 Key Attestation Using Fortanix SDKMS-CLI Python Tool The following commands can be used to perform key attestation using the `sdkms-cli` Python tool: **Using Key UUID**: ```bash ./sdkms-cli key-attestation --kid ``` **Using Key Name**: ```bash ./sdkms-cli key-attestation --name S ``` A security object is any datum stored in DSM (for example a key, a certificate, a password, or other security objects). Each security object is assigned to exactly one group. users and applications assigned to the group have permission to see the security object and to perform operations on it. Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. ## Related - [Fortanix DSM with Docker Notary for PKCS#11](/fortanix-dsm-with-docker-notary-for-pkcs11.md)