SC-12(5) — PKI Certificates / Hardware Tokens

For high-security environments, PKI certificates and private keys should be stored on hardware tokens (smart cards, HSMs) rather than in software keystores.

Example 1: Issue CAC/PIV smart cards to users for authentication. The private key is generated on the card and never leaves the hardware. Users must insert the card and enter a PIN to authenticate — two factors in one device.

Example 2: Store your certificate authority's signing key in a FIPS 140-2 Level 3 Hardware Security Module (HSM). The HSM performs all signing operations internally — the private key cannot be exported, copied, or extracted from the hardware.