For the latest version, please use Certificate Lifecycle Manager 6.0.0!

Key and Certificate Export, Migration and Bring-Your-Own-Key (BYOK) Support

Overview

MTG CLM provides flexible options to export and migrate certificates, as well as support for Bring-Your-Own-Key (BYOK) scenarios depending on the type of keys involved and the chosen deployment model.

Certificate and Key Export

  • Certificate Export: All issued certificates managed in the CLM platform can be exported in standard formats (e.g., PEM, DER) to support interoperability with external systems and migrations to other solutions.

  • Private Key Export: Private keys associated with end-entity certificates (for example, TLS, user, device or code signing certificates) that are stored within the CLM platform can be exported in standard formats (e.g., PKCS#12 / PFX, PEM) if marked as exportable during key creation. Export permissions are governed by role-based access control policies and audit logging.

CA Key Export and Migration

  • Default Policy – Non-Exportable CA Keys: For security and compliance reasons, private keys of Certification Authorities (CA keys), which are stored in HSMs, are typically marked as non-exportable. This ensures maximum protection of the root and subordinate CA key material.

  • Optional Exportable CA Keys: If required by the customer, it is technically possible to generate CA keys with exportable attributes inside the HSM, provided the underlying HSM supports such operations. However, exporting CA private keys is generally discouraged and subject to strict security, legal, and compliance considerations.

  • HSM Vendor Migration: The solution does not provide out-of-the-box tooling for automated migration of CA keys between different HSM vendor platforms due to vendor-specific key wrapping formats and security controls. In such cases, HSM vendor-specific tools may be used where supported.

Bring-Your-Own-Key (BYOK) Support

MTG CLM fully supports BYOK scenarios in multiple deployment models:

  • External HSM Integration: Customers may connect their own HSMs to the system (e.g., AWS CloudHSM, Azure Key Vault Managed HSM, on-premises HSMs) using PKCS#11 interfaces. In such setups, CA keys are generated and reside entirely under the customer’s control. This allows the customer to migrate keys or re-use them with other systems without vendor lock-in.

  • Customer-Controlled Key Generation: Customers have the option to generate the complete CA key pair (private and public key) externally, outside of MTG CLM, typically using their own HSM or key management system. In this scenario, the externally generated key pair can be imported into MTG CLM for subsequent use.

While this allows customers to retain full control over the key material and enables future portability, it also introduces certain risks:

  • The private key exists temporarily outside a controlled and audited environment during key generation and transfer.

  • Secure key import procedures must be followed to prevent potential key exposure.

  • Customers assume full responsibility for the secure handling, transfer, and protection of the key material prior to its import.

This approach is typically used only in scenarios where strict key ownership requirements exist and the customer has the necessary infrastructure and processes to securely manage private key material.

Summary

MTG CLM offers:

  • Standardized export of certificates and application-level keys.

  • Controlled export options for CA keys where permitted.

  • Full support for BYOK scenarios via customer-owned HSMs and key generation.

  • Vendor-neutral architecture supporting secure customer-managed key material.