Venafi Advanced Key Protect | Venafi Skip to main content
platform /

Venafi Advanced Key Protect

Scale Your Private Key Security with Hardware Security Module Leaders

v-control Icon
​As an add-on module to the Venafi Platform, Advanced Key Protect applies policy and workflow controls and enables fast, automated orchestration of keys. Together, these capabilities ensure the consistent use of the strongest possible cryptographic keys.

Does your organization use TLS to secure communication to business-critical systems? Many organizations struggle with key management issues that result in compromised private keys. Venafi makes it easy to automate private key lifecycle management that enforces strict policy control, achieves compliance and centrally manages keys securely, avoiding the risks associated with storing keys in files.

Advanced Key Protect

Venafi Advanced Key Protect promotes the use of safe, cryptographic keys by orchestrating HSM-based generation and storage of cryptographically strong keys across the enterprise.

How It Works

Venafi Advanced Key Protect improves private key security in two important ways: it allows users to generate strong keys from a central HSM and also provides flexible management of the entire HSM key life cycle for enterprise applications.

Key Advantages
  • Delivers immediate PCI DSS 3.6.1 and 3.6.3 compliance
  • Leverages existing HSM investment for strong key generation and key lifecycle management
  • Automates strong, centrally generated keys across your network
  • Maintains private keys under strict policy controls in a secure, centralized location
What's in It for You

Strong central key generation

The Venafi Platform leverages a central HSM to generate key pairs, delivering keys created with strong random number generation.

HSM key lifecycle management

Once Venafi Advanced Key Protect triggers the generation of a key pair by the HSM, it then follows one of these two approaches:

1. Securely maintain private keys on an HSM

The Venafi Platform orchestrates the connection to the system that needs the certificate. The key pair is securely maintained on the HSM, delivering HSM-based key protection, and the private key never leaves the HSM. Both Gemalto and Thales HSMs enable this approach and this capability is supported on Apache, Windows IIS and Java.

Private Key Securely Maintained on HSM

When administrators enter application and HSM information into the Venafi Platform, it triggers the following actions by the platform:

  • Connects to the managed application and instructs the HSM to generate a key pair
  • Retrieves a certificate-signing request (CSR) from the HSM through the managed application
  • Uses the CSR for certificate enrollment with a certificate authority (CA)
  • Installs the certificate on the managed application (the private key remains on the HSM)

2. Install private keys and certificates on a managed application

For this second option, the Venafi Platform can be used to generate all X.509 and SSH keys in a central HSM, even for applications that do not have the capability to integrate with an HSM. In this approach, instead of keeping the private key in the HSM, the key pair is exported from the HSM and the private key and certificate are installed on the system that will use them. This capability is supported by Gemalto.

Private Key and Certificate Installed on Managed Application

Again, this process begins when an administrator enters application and HSM information into the Venafi Platform, but it triggers these actions by the platform:

  • Instructs the HSM to generate a key pair
  • Retrieves the private key and a certificate-signing request (CSR) from the HSM
  • Uses the CSR for certificate enrollment with a certificate authority (CA)
  • Installs the certificate and the private key on the managed application
small v

Take the First Step

Start protecting your enterprise today with Advanced Key Protect.

Get Started
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more