|
For the latest version, please use Certificate Lifecycle Manager 6.8.1! |
Crypto Module Operations
MTG CLM uses crypto modules for two distinct cryptographic functions:
-
Random Number Generation (RNG): Generates random bytes for passwords, keys and other cryptographic operations.
-
Encryption: Encrypts and decrypts sensitive data such as private keys, end entity passwords.
Without properly configured crypto modules, key pair generation is not possible. You can configure separate crypto modules for RNG and encryption, or use the same crypto module for both operations. This separation allows flexible security architectures where RNG requirements differ from encryption requirements.
After changing active encryption crypto module, key pairs generated in the future will be encrypted using the new configuration, before being stored. Generated key pairs encrypted using previous configurations will still be available, as long as the respective crypto module used is not deleted.
Crypto Module Types
MTG CLM supports two crypto module types: Built-in and MTG CARA.
Built-in Crypto Module
The built-in crypto module performs all cryptographic operations in software. Random byte generation, key generation and data encryption/decryption occur on the CLM server without external dependencies.
The built-in crypto module requires a password configured in the crypto.module.builtin.password property.
Without this password, server-side key pair generation is not possible.
The password protects the encryption key pair used for securing sensitive data.
The built-in crypto module is recommended when MTG CLM operates without MTG CARA, or for integration and test systems where security requirements are lower.
|
Losing or changing the built-in crypto module password results in non-recoverable private keys. |
MTG CARA Crypto Module
The MTG CARA crypto module uses a CARA-based certificate provider for cryptographic operations. Data encryption uses an encryption root certificate created in CARA. Random byte generation and encryption key storage can be software-based or HSM-based depending on CARA configuration.
To create an MTG CARA crypto module:
-
Select an existing CARA-based certificate provider (decryption keys are stored in this provider).
-
Create a root certificate with an RSA key pair in MTG CARA (software or HSM).
-
Configure the
clm.encryption.root.cert.idVCA property with the encryption root CA ID.
Hardware RNG Configuration
The MTG CARA crypto module supports HSM-based random number generation through the Hardware RNG parameter:
- preferred
-
Uses HSM for entropy if available in MTG CARA; falls back to software if HSM is unavailable.
- mandatory
-
Requires HSM for entropy; generates errors if no HSM is configured in MTG CARA.
|
If you operate MTG CARA without an HSM, always choose |
|
Deleting or losing the keys in the MTG CARA certificate provider results in non-recoverable private keys. |
Configuration Matrix
| Crypto Module Type/Configuration | Key Generation | Entropy Source for Key Generation | Random Data Generation |
|---|---|---|---|
Built-in |
In software in MTG CLM |
In software in MTG CLM |
In software in MTG CLM |
MTG CARA |
In software with MTG CARA |
HSM |
HSM |
MTG CARA |
Error |
Error |
Error |
MTG CARA |
In software with MTG CARA |
HSM, error in software with MTG CARA |
HSM, error in software with MTG CLM |
MTG CARA |
In software with MTG CARA |
Software |
Software |