[2] In public-key cryptography and computer security, a root-key ceremony is a procedure for generating a unique pair of public and private root keys.
Depending on the certificate policy of a system, the generation of the root keys may require notarization, legal representation, witnesses, or “key-holders” to be present.
A commonly recognized practice is to follow the SAS 70 standard for root key ceremonies.
Unless the information that is being accessed or transmitted is valued in terms of millions of dollars, it is generally adequate that the root key ceremony be conducted within the security of the vendor's laboratory.
When conducting the root key ceremony, the government or organization will require rigorous security checks on all personnel in attendance.
The actual generation of the root key-pair typically occurs in a secure vault, with no external communication except for a single telephone line or intercom.
Upon securing the vault, all present personnel must verify their identity using at least two legally recognized forms of identification.
[citation needed] The CA vendors and organizations, such as RSA, VeriSign, and Digi-Sign, implement projects of this nature where conducting a root key ceremony would be a central component of their service.
For CCA HSMs, the master key parts can be stored either on smart cards or in files on the TKE workstation.