Remote Key Attestation

Code Signing and AATL document signing certificates are two discrete certificate products which require an additional and objective assurance regarding the generation of the corresponding private key. When a customer purchases such a certificate type from a publicly trusted CA, a procedure called remote key attestation or key verification is required, attesting that the private key of the certificate is properly generated and stored in the customer's HSM or token device.

Per CA/B Forum's Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates:

CAs SHALL ensure that the Subscriber’s private key is generated, stored and used in a crypto module that meets or exceeds the requirements of FIPS 140-2 level 2.
Acceptable methods of satisfying this requirement include (but are not limited to) the following:

  • [...]
  • (c). The Subscriber provides a suitable IT audit indicating that its operating environment achieves a level of security at least equivalent to that of FIPS 140-2 level 2.

Per Adobe's Approved Trust List Requirements:


The Member must be generating and protecting key pair(s) for the supplied certificate(s) in a medium that prohibits exportation and duplication that could allow unauthorized use of the private or secret keys.

A hardware security module that meet FIPS 140-2 Level 3 or equivalent provides a suitable medium.

Certificate Authorities traditionally perform in-house the witnessing of remote key material generation inside the customers' FIPS compliant infrastructure. This usually accretes the total cost of EVCS, document signing and cloud signing certificates. By delegating the witnessing procedure to a trusted external entity, issuing CAs achieve a reduction of the total time required for issuing these types of certificates which translates to a reduced cost.

Defining the Responsibility

The responsibility of delegating a remote key attestation to a trusted external entity (CAB or accredited auditor) is split between the issuing CA and the customer.
This means that while an issuing CA can consider this method as accepted and decouple the witnessing activity from the rest of the validation process, the customer should inquire for the remote key attestation service.
Despite the fact that it is not an uncommon procedure, it requires thorough evaluation of the competency, capabilities and ethics of the party performing the attestation, prior to be considered accepted by the issuing CA.

Accredited Attestation Procedure

By leveraging our team of certified cybersecurity experts, a real-time observation of the key material generation procedure is performed, ensuring that the appropriate controls and procedures were applied from key generation to key storage. At the end of the witnessing procedure, we provide you with a signed attestation letter regarding the proper generation of key material inside your FIPS compliant device, located on-premises or on cloud.

Our perennial experience in cryptographic solutions and key management practices, allows to support the majority of vendors and service providers that offer physical HSMs, cloud HSMs or KMS with FIPS 140-2 Level 2 or Level 3 compliance.


Our PKI specialists are more than happy to discuss the solution with you!


Latest News

Ukrainian NBU BankID System preparing for EU recognition

SpearIT is pleased to announce that has undertaken the preliminary conformity assessment of Ukraine's BankID national electronic identification scheme, ...

Read More

Cypriot National eID becomes notified

SpearIT is pleased to announce that the electronic identification (eID) scheme of Cyprus has now been notified as LoA High...

Read More

Cypriot National eID becomes pre-notified

SpearIT is pleased to announce that the first Cypriot electronic identification (eID) scheme has now been pre-notified in the eIDAS Cooperation Network...

Read More