Cryptera Keyserver¶

Cryptera Keyserver is a secure, centralized platform for managing and using cryptographic signing keys.
It enables trusted firmware signing, controlled certificate issuance, and fully audited key usage across development, CI/CD, and manufacturing environments — all without ever exposing private keys to applications or operators.

Built for embedded systems, IoT devices, hardware modules, and high-assurance software pipelines, the Keyserver provides:

• HSM-backed key protection: Keys are generated and stored entirely within HSMs.
• Granular access control: Subjects receive only the roles and permissions needed for their responsibilities, scoped to specific keys.
• Approval workflows: High-risk operations can require one or more human approvers.
• Multiple signing interfaces: Supports REST, PKCS#11, OpenSSL, and integrations with major CI/CD systems.
• Device certificate issuance: Provisioning systems submit CSRs; the Keyserver issues certificates using CA keys.
• Complete auditability: All signing events, administrative actions, and approvals are timestamped and logged.

By storing all private keys in certified HSMs, enforcing strict access control, requiring approvals for sensitive operations, and integrating with modern identity providers, Cryptera Keyserver eliminates risks like unauthorized signing, key extraction, and lack of audit traceability. Developers and automated systems never have direct access to private keys — they request signing operations that the Keyserver performs securely.

Cryptera Keyserver provides a secure, consistent, and automatable foundation for all cryptographic signing operations across your organization.

Typical Workflows¶

Firmware Signing¶

1. CI pipeline authenticates using OAuth2 or OIDC
2. It creates an operation for a specific signing key
3. Approvers (if required) approve the operation
4. The CI pipeline submits a sign order
5. The Keyserver returns a cryptographic signature

Device Certificate Issuance¶

1. Device generates a key pair and CSR
2. Provisioning tool authenticates
3. CSR is submitted to the API
4. The Keyserver signs the certificate using a CA key
5. The device receives its certificate chain

Administrative Configuration¶

1. Administrators create a session and obtain approval
2. Roles, subjects, and signing keys are created or updated
3. All changes are logged for auditing

Documentation Structure¶

The documentation is organized into clear sections that match typical workflows and responsibilities.

1. Core Concepts¶

Foundational explanations of how the Keyserver works.

• Subjects, Roles, and Access Control
• Authentication Model
• Key Types and Operations
• Approval Workflow
• Administrative Sessions

2. Tutorials¶

Step-by-step walkthroughs designed for first-time users.

• Sign Code Using Trial Server

3. How-To Guides¶

Short, task-based guides for engineers and administrators.

Signing¶

• Sign Code Using the REST API - Refer to tutorial

• Sign Windows Executables (Authenticode)
• Use OpenSSL with PKCS#11

4. Reference¶

Specifications and terminology.

• Interactive API Reference

Getting Started¶

If you're new to the Keyserver:

1. Begin with Core Concepts
2. Work through the Tutorials
3. Follow a relevant How-To guide

Administrators should begin with:

• Admin Configuration Tutorial
• Manage Subjects
• Manage Roles
• Manage Keys

CI/CD engineers should start with:

• REST API Signing
• GitLab / Azure DevOps / GitHub OIDC Integration

You're now ready to explore the rest of the documentation.