Remote Key Attestation

Extended Validation Code Signing (EVCS) and AATL document signing certificates are two discrete certificate products which require an additional and objective assurance regarding the generation of the corresponding private key. When a customer purchases such a certificate type from a publicly trusted CA, a procedure called remote key attestation or key verification is required, attesting that the private key of the certificate is properly generated and stored in the customer's HSM or token device.

As per the CAB Forum EVCS Requirements:

CAs SHALL ensure that the Subscriber’s private key is generated, stored and used in a crypto module that meets or exceeds the requirements of FIPS 140-2 level 2.
Acceptable methods of satisfying this requirement include (but are not limited to) the following:

  • [...]
  • (c). The Subscriber provides a suitable IT audit indicating that its operating environment achieves a level of security at least equivalent to that of FIPS 140-2 level 2.

As per the AATL Requirements:


The Member must be generating and protecting key pair(s) for the supplied certificate(s) in a medium that prohibits exportation and duplication that could allow unauthorized use of the private or secret keys.

A hardware security module that meet FIPS 140-2 Level 3 or equivalent provides a suitable medium.

Certificate Authorities traditionally perform in-house the witnessing of remote key material generation inside the customers' FIPS compliant infrastructure. This usually accretes the total cost of EVCS, document signing and cloud signing certificates. By delegating the witnessing procedure to a trusted external entity, issuing CAs achieve a reduction of the total time required for issuing these types of certificates which translates to a reduced cost.

Defining the Responsibility

The responsibility of delegating a remote key attestation to a trusted external entity (CAB or accredited auditor) is split between the issuing CA and the customer.
This means that while an issuing CA can consider this method as accepted and decouple the witnessing activity from the rest of the validation process, the customer should inquire for the remote key attestation service.
Despite the fact that it is not an uncommon procedure, it requires thorough evaluation of the competency, capabilities and ethics of the party performing the attestation, prior to be considered accepted by the issuing CA.

Accredited Attestation Procedure

By leveraging our team of accredited PKI auditors, a real-time observation of the key material generation procedure is performed, ensuring that the appropriate controls and procedures were applied from key generation to key storage. At the end of the witnessing procedure, we provide you with a signed attestation letter regarding the proper generation of key material inside your FIPS compliant device, located on-premises or on cloud.

Our perennial experience in cryptographic solutions and key management practices, allows to support the majority of vendors and service providers that offer physical HSMs, cloud HSMs or KMS with FIPS 140-2 Level 2 or Level 3 compliance.


Our PKI specialists are more than happy to discuss the solution with you!


Latest News

EU NIS Directive Receives Update Proposal

On 6 December 2020, the EU Commission published its proposal for a revision of the Directive on Security of Network and Information Systems (EU NIS Directive)...

Read More

EU eID Schemes Landscape

Electronic Identification (eID) is a digital solution for the identity proofing of citizens or organizations achieving mutual recognition of electronic identification schemes across borders and increases citizens confidence in the online world...
Read More

Digital transformation and the EU NIS Directive

There is an observed ongoing movement towards digital transformation during the very last years, not only in private and enterprise environments but also in critical national infrastructure operators...
Read More