Advanced Search
HomeCompliance and Standards : Certification Authority : Digi-Sign.comSAS 70 Key CeremonySamples & Templates

Witnessing Attendees’ Signatures

  • 4. PDF The first HSM device (designated #1) was removed from production and connected to the computer prior to this ceremony and the event was monitored and supervised by an appointed company’s Head of Security.

    • The Cryptographic Operation Control Software is now about to be used to cause the numbered (in section 3 above) operations to occur in the following sequence: 5.

    During this phase of the Key Generation Ceremony, a new Key Access Component Card Set is created and bound to our HSM device security infrastructure. The card set configuration we choose is as follows:

        a. Total number of smart cards in a card set: 5

        b. Minimum number of smart cards required to access the private key: 3

        c. Minimum number of smart cards required to recreate any lost smart card: 3

        d. Minimum number of smart cards required to recover lost PIN codes: 3

        e. Minimum number of smart cards required to recover a private key: 3



    During this step, one of the HSM Security Administrators present at the ceremony will be requested by the Key Generation Ceremony Administrator to insert his Administrator’s Smart Card into the smart card reader interface of the HSM device in order to authorize the creation of a new Key Access Component Card Set. This is required by the HSM device, which operates in FIPS 140-2 level 3 modes.

    Further during step, each appointed (in previous step) Key Access Component Holder will be requested to actively participate in the ceremony. The Key Generation Ceremony Administrator will require each Key Access Component Holder to separately follow the steps below:

        a. Access their PIN envelope, that were previously placed on the Inventory Table

        b. Re-read and memorize their PIN codes, that were previously written on their PIN Code paper sheet

        c. Confirm to memorize their PIN code

        d. Place their PIN Code paper sheet back into their envelope and place the envelope not sealed back on the Inventory Table

        e. Take their smart card from the Inventory Table and when requested by the Key Generation Ceremony Administrator, walk towards the HSM device

        f. When requested by the Key Generation Ceremony Administrator, insert their smart card into the smart card reader interface of the HSM device and when requested by the Key Generation Ceremony Administrator, enter and confirm their memorized PIN Code.

        g. When requested by the Key Generation Ceremony Administrator, remove the smart card from the HSM smart card reader interface and place their smart card back on the Inventory Table on top of their PIN envelope.
        The above sequence of steps will be repeated for each appointed new Key Access Component Holder.
        All attending Witnesses must ensure, that each Key Access Component Holder accesses only their own Key Access Component Card and PIN envelope. They must also ensure, that all PIN Code paper sheets remain in envelopes, which are not sealed, and that relevant Key Access Component Cards reside on the top of each envelope on the Inventory Table at the end of this step.


  • 5. The previous step left the HSM device #1 configured for use with our newly configured Key Access Component Card Set, commonly referred to as Operator Card Set.

    • The new card set will be subsequently used during this ceremony to encrypt and protect access to relevant private keys we are about to generate. The encryption key elements [components] are now stored on each PIN protected Key Access Component Card, which will be required to access newly generated and access protected private keys at any time.

  • 6. The Key Access Component Card Set Configuration is now declared complete.


  • Ireland, Dublin
    +353 (1) 685-3680