Generating and Exporting SKI Transport Keys

Crescendo Manager allows you to generate Secure Key Injection Secure Key Injection is a FIPS certification-compliant protocol that ensures data protection when importing private keys, OTP secrets, and management keys. (SKI) Transport key pairs for your tokens. These key pairs can then be used for secure transfer of secrets to your tokens in compliance with the Secure Key Injection protocol.

Tip! For more information about encrypting secrets for transfer to a token, see SKI Wrapper.

Generating an SKI Transport Key

To generate a new SKI Transport Key for the selected token:

  1. Go to the Certificates view in the left navigation pane.

  2. Click the Generate button in the top-right corner of the Certificates view

    The Certificates view with the Generate button highlighted.

  3. From the Select action drop-down, select New key.

    The Generate Key, CSR or Certificate dialog with the Select action field highlighted.

  4. Choose Key Slot: In the drop-down menu, select SKI Transport Key. The Key Type field will be set to RSA 3072 automatically.

    The Generate Key, CSR or Certificate dialog with the SKI Transport Key key slot selected.

  5. Key Name: The key name is a human-readable string used to identify the key. Use the randomly generated value or overwrite it.

    Note:

    Knowing the key name is useful when you need to use the key directly, such as with the Cryptography Next Generation (CNG Cryptography Next Generation. A modern cryptographic API (Application Programming Interface) introduced by Microsoft as part of Windows to replace the older CryptoAPI. It provides a flexible and extensible framework for implementing cryptographic algorithms, key storage, and secure key management and supports a wide range of cryptographic operations, including encryption, decryption, hashing, and digital signatures.) application programming interface. See the simple PowerShell example below, which opens the key for further actions.

    Copy
    [System.Security.Cryptography.CngKey]::Open($keyname, [System.Security.Cryptography.CngProvider]::MicrosoftSmartCardKeyStorageProvider)
  6. Click the Generate button. The new SKI Transport Key is now displayed as a new tile.

    A tile with the SKI Transport Key.

Note: An SKI transport key cannot be deleted from the token. The only way to remove it is by recycling the token.

Exporting an SKI Transport Key

To copy the public part of an SKI Transport Key:

  1. Click the SKI Transport Key tile.

  2. Click Copy to Clipboard to copy and paste the public part of the SKI Transport Key into the desired application in PEM format.

    Public Key Details dialog.

  3. Click Save to File to save the public part of the SKI Transport Key in PEM format to the selected destination.

What's Next

A generated SKI Transport Key can be used for encrypting secrets for Secure Key Injection with the SKI Wrapper tool.