Skip to content

What is Automated Secure Keypair?

Automated Secure Keypair makes your certificate requests fast, secure, and easy by:

  • By generating the key pair for new certificate requests
  • By creating valid certificate signing requests (CSR)

Using Automated Secure Keypair, you no longer have to generate your own key pairs or wonder whether your CSR is valid. Automated Secure Keypair takes care of all of that for you.

How Automated Secure Keypair is enabled

The Automated Secure Keypair service is included in TLS Protect Cloud premium packages by default. The service automatically activates once a VSatellite is deployed and registered with TLS Protect Cloud. Once active, it can be selected as a key generation option on certificate issuing templates.

How can I see if Automated Secure Keypair is active?

Click Settings > Services. The Services page lists all of the services available to you, and it shows whether they are active.

By default, the service that runs Automated Secure Keypair is called Key generation service. It's possible that this has been renamed in your environment. If you don't see it, look for Automated Secure Keypair in the service subtext.

Screenshot showing the Key generation service

What happens when a certificate request is submitted using Automated Secure Keypair

When a certificate request is submitted using the Automated Secure Keypair service, the following sequence of events takes place:

  1. TLS Protect Cloud receives the request and forwards it to the active VSatellite in your environment.
  2. The VSatellite generates a key pair and a CSR.
  3. The private key is encrypted with the VSatellite's Data Encryption Key, and the encrypted private key and CSR are sent to TLS Protect Cloud.


    The Data Encryption Key itself is never sent to TLS Protect Cloud. Venafi cannot decrypt private keys that are stored in TLS Protect Cloud.

  4. TLS Protect Cloud forwards the CSR to the CA specified in the issuing template.

  5. TLS Protect Cloud receives the CA-issued certificate and stores it.

Once the certificate is returned to TLS Protect Cloud, you can download the certificate or the Keystore.

Ready to get started?

Go to Using Automated Secure Keypair to request certificates. It will walk you through all of the steps necessary to start using Automated Secure Keypair.