TSB System Keys
The TSB automatically creates a number of keys on your HSM partition. This page explains what these keys are and what they are used for.
Key label | Purpose |
---|---|
approver-mgmt-backup-key-rsa-wrapping | Used for encrypting the approver keys that are managed by this TSB, before backing them up in the database. This is an SKA key. By default, its policy is empty. You may manually assign a policy to better protect this key. However, you will need to manage the approver keys of this SKA key externally (otherwise there is a circular dependency). |
attestation-key | Used for signing key attestations. Has the "attestation" key attribute set. |
rfc-timestamp-key | Used for signing trusted timestamps following RFC 3161. Uses the new "timestamp" key attribute. |
timestamp-key | Used for signing timestamps in SKA workflows that use timelocks or timeouts. Uses the old "integrity" key attribute. |
danger
Do not delete these keys manually! The TSB needs these keys to operate.
If you have accidentally deleted these keys, the TSB automatically tries to create new keys. If key invalidation is disabled on your partition, this should succeed immediately. If key invalidation is enabled, the TSB's attempt to recreate the keys will fail, because the key labels are still present (albeit marked as deleted). In this case, the HSM administrator (SO or PSO) can help you reactivate the keys.