Key Map

[1] To track the assignment of pre-generated Keys, a Key Map is maintained and updated before and after every Key Ceremony you conduct (see Appendix III for a sample Key Map template). This file contains the following information that is explained in the sub sections below:

3.11.2.2.1 Issue Date

3.11.2.2.2 Private Key and Cryptographic Device

3.11.2.2.3 Subject DN

3.11.2.2.4 Issuer DN

3.11.2.2.5 .req File

3.11.2.2.6. x509 File

3.11.2.2.7 Validity Period

3.11.2.2.1 Issue Date

This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the date of the Key Ceremony and precise UTC time of assignment is entered in this field.


3.11.2.2.2 Private Key and Cryptographic Device

This field identifies the cryptographic device and the pre-generated (or generated at the beginning of this ceremony) private key residing within your cryptographic device. The device is usually identified by a unique device serial number that the device vendor has assigned to it. If provided by the vendor of your device, you may also enter the integrity key identifier value, that provides an increased level of device identity assurance. As next items in this section, you enter the Common Name and optionally a unique key identifier file name and the checksum byte string of the identifier file for your pre-generated key stored within the cryptographic device. As a last item in this section and if the additional Key Access Component Card based protection was enabled for the generated key, you enter the Name of the Key Access Component Card Set, which was used to protect access to the key. When the key pair is assigned to a new CA, these values will be cross-checked by the appointed Key Ceremony Attendees, to ensure they match the real values, that the Key Ceremony Administrator is using during the ceremony key related activities.


3.11.2.2.3 Subject DN

This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the Distinguished Name [DN] of the new CA is entered in this field of the spreadsheet.


3.11.2.2.4 Issuer DN

This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the DN of the Issuing CA is entered in this field of the spreadsheet.


3.11.2.2.5. req File

This is the name of the file containing the public key and the certification [2] request generated during the Key Ceremony. The request file assigns the CA to a pre-generated key.


3.11.2.2.6 .x509 File

This field remains blank until the pre-generated key pair is assigned to a new CA. During the Key Ceremony a certificate for the new CA is created and once this is done the name of the certificate file is entered in this field of the spreadsheet.


3.11.2.2.7 Validity Period

This field remains blank until the pre-generated key pair is assigned to a new CA. During the Key Ceremony a validity period will be assigned to the new CA and is entered here once completed.