The Serial Vault provides encrypted storage for signing keys for an account. Signing keys can be generated locally and uploaded, or generated within the Serial Vault. However, signing keys cannot be downloaded from the Serial Vault so the unencrypted signing is never available, so the recommended approach is to generate the key locally. The signing key also needs to be registered with the Brand store so it can be used to verify the signature of serial assertions. The Serial Vault holds the private key, whereas the Brand Store holds only the public key as an account-key assertion.
The steps needed with local key generation and registration are:
- Generating the key(s)
- Registering the key with the Brand Store
- Exporting the key as ASCII-armored
- Uploading the ASCII-armored key file to the Serial Vault
The Serial Vault will need the private keys uploaded to its database for the following keys:
- Key for signing serial assertions
- Key for signing system-user assertions
- (if model pivoting is needed) Key for signing model assertions
Although one key can be used for each of these three purposes, it is recommended to use a separate signing key for each type of assertion.
Signing keys that are to be uploaded to the Serial Vault need to be passwordless (i.e. keeping a blank password when generating the key). Using a key that has a password results in an error when uploading the signing key.