>
    Strata Copilot
    Create a Signing Key
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Introduction to the Code Signing Capability
    6. Configuring the Code Signing Capability
    7. Create a Signing Key
    Next‑Gen Trust Security

    Create a Signing Key

    Table of Contents

    Create a Signing Key

    Signing Keys let you create and store keys and, optionally, certificates for signing. After you create a Signing Key, anyone with built-in account credentials for the TSG can sync it to their signing workstations and use it for signing.

    Prerequisites

    • If you plan to request a certificate using anything other than the Built-in CA, the certificate authority configuration must be in place on the parent TSG.
    • If you plan to obtain a certificate from a public certificate authority, you must select AWS KMS as the key storage type. Public CAs will not sign a CSR for a key that is not stored on a hardware HSM.

    To Create a Signing Key

    1. Sign in to Next-Gen Trust Security.
    2. Click Insights > Signing Keys.
    3. Click New.
    4. Complete the fields in Basic information.
      1. Enter a Signing Key Name.
      2. (Optional) Enter a Description that describes what this Signing Key will be used for.
      3. Click Continue.
    5. Complete the Key Pair Properties.
      1. Select a Key Storage Type.
        • AWS KMS -- stores the key in a FIPS 140-3 compliant hardware HSM. Required if obtaining a certificate from a public CA.
        • Built-In Key Storage -- stores the key in software. Intended for testing and proof-of-concept environments.
      2. Key Storage Location is pre-selected based on your key storage type selection.
      3. Enter a Validity Period.
        Entering 0 will give the Signing Key an infinite validity period.
      4. Select the Key Algorithm.
        Considerations when selecting a key algorithm
        • Security policy: If your organization has algorithm and compliance standards, align your selection with those standards.
        • RSA 2048 / 3072 / 4096: Widely supported and reliable. Use 3072 for modern security strength and 2048 for maximum compatibility.
        • ECDSA P-256 / P-384 / P-521: Smaller, faster, and more efficient than RSA, but some older tools may not support them. P-256 is the most broadly compatible ECDSA option.
        • If you plan to request a certificate from DigiCert in the next step, note that DigiCert does not support RSA 2048 or ECDSA 521.
    6. Complete the Certificate Properties.
      1. Select a Certificate Authority.
        If you want to create just a key pair without a certificate, select None. Otherwise, select the certificate authority.
      2. Select the Product Option. These options vary by certificate authority.
      3. Complete the remaining fields in accordance with your company's guidelines.
        Note: Some of these fields may be set by your certificate authority. In those cases, the values will be overwritten with the certificate authority settings on the signed certificate.
    7. Complete the Cryptographic Object Creation section.
      Select whether you want the keys and certificates created now or later, and then click Finish.
      If you selected to create the cryptographic objects later, you'll need to open the Signing Key, and from the Cryptographic Objects tab, create the objects.

    What's Next

    With the Signing Key now in place, users are ready to sync the keys to their signing workstations or CI/CD pipelines. See Getting started with Code Sign Client in Dev Central for steps.

    © 2026 Palo Alto Networks, Inc. All rights reserved.