Using Fortanix DSM for Issuing Key Attestation Statements

1.0 Introduction

This article describes the steps to get key attestation statements that attest that a security object was generated in Fortanix Data Security Manager (DSM) and is not exportable. This attestation helps users prove to a Certificate Authority (CA) that the key underpinning a Certificate Signing Request (CSR) was generated by Fortanix DSM and is non-exportable. The attestation is in the form of X.509 certificates within the Fortanix attestation and provisioning Public Key Infrastructure (PKI) hierarchy.

2.0 Issuing Key Attestation Statements in Fortanix DSM

The Fortanix DSM Cluster Key Attestation Authority issues the Key Attestation Statements for keys residing on a DSM SaaS cluster.

The issued Key Attestation Statements would contain claims about the target key. The claims can be divided into two groups:

  • Claims about the key at generation time, for example: generated in this DSM SaaS cluster, generated as non-exportable, and so on.
  • Claims about the current state of the key, for example: the current set of key permissions.

2.1 Key Attestation Certificate APIs

The following API endpoint is used for requesting a Key Attestation Statement. For more details, refer to Fortanix Open API documentation.

  • KeyAttestation: [API] - POST /crypto/v1/keys/key_attestation

    The API performs the following operations:

    • Checks if the Fortanix DSM SaaS cluster is capable of issuing key attestation statements.
    • Checks if the target security object is suitable for key attestation.
    • If there is an existing suitable key attestation statement, it is returned, otherwise, a new certificate is issued and stored for future use.

Session Type: SessionAuth<(App, UserInAccount)>
Method: POST
Request Body:

    "key": {
        "kid": "<key_uuid>"

Output JSON:

    "authority_chain": [
        "MIIFZzCCA0+ ...="
    "attestation_statement": {
        "format": "x509_certificate",
        "statement": "MIIC+TCCAB...”

2.2 Key Attestation Using Fortanix SDKMS-CLI Python Tool

The following commands can be used to perform key attestation using the sdkms-cli Python tool:

Using Key UUID:

./sdkms-cli key-attestation --kid <key_id>

Using Key Name:

./sdkms-cli key-attestation --name S


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful