Procedures for Managing the Transport Key

The Transport Key (TK) is used internally to secure communications between the Credential Provider (a plug-in to ActivID CMS that is in charge of communication with the CA) and the core ActivID CMS components that communicate with the device.

For Entrust, the TK is also used as an additional layer of security when private keys are exchanged between ActivID CMS and Entrust (for key escrow and key recovery operations).

After you have installed ActivID CMS, a default transport certificate is installed the first time you launch the application. The TK is stored in either an HSM, or in software (depending on your environment and requirements).

  • The default key length is 2048.

    Note: This default key length of 2048 is only applicable for the certificate installed when you launch the application the first time. Any transport keys created subsequently will have a default key length of 3072.
  • The default certificate subject DN for the automatically installed certificate is: CN=ActivIdentity self-generated transport certificate.

You can use any of the CA’s standard encryption templates for the TK certificate. ActivID CMS will not remind you to check the expiration/revocation of the TK certificate.

Important: It is recommended that you set up a reminder to ensure that you always renew the credentials before they expire.