Bring Your Own Auditor (BYOA) Guide for Private Key Generation Attestation allows customers who are requesting Code Signing or Adobe Approved Trust List (AATL) Document Signing certificates to use an independent qualified auditor of their choice to attest that the customer’s private key was generated and is stored securely in a compliant Hardware Security Module (HSM). refers to this process as “ BYOA” is a term we made up.

With BYOA, the customer provides with:

  • The Certificate Signing Request (CSR) generated by the HSM.
  • Confirmation from an independent qualified auditor, approved by, that the key pair was generated and is stored in a hardware crypto module certified to at least FIPS 140-2 Level 2 or equivalent under an approved operating environment.

This guide details the BYOA process, auditor requirements, key ceremony guidelines, and provides a form letter template for the auditor attestation.

Auditor Requirements and Approval

To perform the BYOA attestation, the independent auditor must be pre-approved by evaluates auditors based on the following criteria:

  • Technical competency: The auditor must have expertise in the field of digital certification and cybersecurity.
  • Auditing qualifications: The auditor must hold a recognized auditing certification or qualification, such as being a WebTrust/ETSI auditor or having a Cloud Security Alliance CCAK.
  • Code of ethics: The auditor must be bound by a professional code of ethics, typically through membership in a professional organization.
  • Verifiable credentials: must be able to verify the auditor’s credentials through public sources like an auditor registry.

If a customer’s preferred auditor is not already approved, the auditor can submit their qualifications to for review against these criteria. maintains a public list of pre-approved auditors for customers’ reference.

Key Generation Ceremony Guidelines

For the BYOA process, the auditor must witness the Key Generation Ceremony and confirm the following in their signed attestation letter:

  • The private key was generated in a hardware crypto module that is certified to at least FIPS 140-2 Level 2 or equivalent.
  • The HSM is operating in at least FIPS 140-2 Level 2 mode.
  • Genuine, vulnerability-free HSM hardware and firmware were used.
  • All communications with the HSM during key generation were authenticated and encrypted.
  • The private key was generated inside the HSM and was never imported or exported.
  • The private key is marked as non-extractable and sensitive, in compliance with PKCS#11 standards.
  • User authentication is required for all access to the private key.
  • The HSM’s operating environment has security controls equivalent to FIPS 140-2 Level 2 or higher.
  • The auditor was present for the entire key generation ceremony and process with no indications of compromise. provides guidance on ceremony preparations, a detailed ceremony script, and the auditor attestation letter template to ensure all requirements are met.

Subscriber Obligations

As part of the BYOA process, must obtain a contractual representation from the Subscriber that they will use one of the following methods to generate and protect their Code Signing Certificate private keys in a hardware crypto module with a design certified to at least FIPS 140-2 Level 2:

  • provides the Subscriber with a suitable HSM with one or more key pairs pre-generated by
  • The Subscriber provides a report confirming the use of a compliant cloud-based key protection solution and HSM.
  • An auditor approved by, with IT and security training, witnesses and provides a report on the key pair generation in a compliant HSM.
  • The Subscriber is using a Signing Service that meets the requirements detailed in the Baseline Requirements section

Auditor Attestation Form Template provides a template for the auditor’s attestation form detailing the key points that must be addressed. The template is available for download here.

The auditor attestation form must be signed by the auditor performing the ceremony witness. Submissions without signatures or from auditors not approved by will be rejected.


The BYOA process allows customers to utilize an auditor of their choice for key generation attestation, providing more flexibility compared to CA-managed attestation, while still upholding the security standards required for Code Signing and Document Signing certificates through rigorous auditor vetting and ceremony criteria.

Customers interested in BYOA for their Code Signing or Document Signing certificate needs should ensure their selected auditor meets’s qualification criteria and is approved before proceeding.’s validation team is available to answer any questions and provide guidance throughout the BYOA preparation and execution process.

For more information or to initiate the BYOA process, please contact support at

Subscribe to’s Newsletter

Don’t miss new articles and updates from

Stay Informed and Secure is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.