# Provisioning Overview *Security properties and scope of the provisioning process* ## Purpose The primary purpose of the provisioning process is to enable the Floating Server to sign responses that LicenseSpring SDKs can cryptographically verify as genuine. Each Floating Server instance receives a certificate and matching private key issued under the LicenseSpring PKI, allowing it to sign its responses in a way that any integrated SDK can verify against the LicenseSpring trust hierarchy. Additional benefits of the provisioning process include: * The Floating Server presents a certificate chain anchored in the LicenseSpring CA, establishing a verifiable cryptographic identity for that instance. * On startup, the Floating Server rejects certificates that do not chain to the expected LicenseSpring root CA, ensuring only properly provisioned instances can operate. ## How It Works The LicenseSpring Platform manages provisioning for each Floating Server instance. Two provisioning methods are supported: certificate-based (CSR) and hardware key (YubiKey). Both are initiated and managed through the LicenseSpring Vendor Platform under **Enterprise Company → Licenses → Floating Servers**. ### Certificate-Based Provisioning (CSR) This is the standard provisioning method. The process works as follows: {% stepper %} {% step %} A 2048-bit RSA key pair is generated locally and a Certificate Signing Request (CSR) is created. {% endstep %} {% step %} The CSR is submitted to the LicenseSpring Platform, which issues a certificate chain containing a root CA certificate, an intermediate CA certificate, and a leaf certificate. {% endstep %} {% step %} The issued certificate chain and the corresponding private key are placed in the Floating Server's configuration directory and referenced in `default.yaml`. {% endstep %} {% step %} On startup, the Floating Server verifies that the certificate chain terminates in the expected LicenseSpring root CA, that the chain is valid, and that the private key matches the leaf certificate. Instances that fail this check do not start. {% endstep %} {% step %} The Floating Server uses the provisioned private key and certificate to sign all responses it sends to connected SDKs. {% endstep %} {% endstepper %} ### Hardware Key Provisioning (YubiKey) Available from Floating Server v2.2.0, hardware key provisioning binds the server to a physical YubiKey device. This method is recommended when physical enforcement or offline licensing is required. When hardware key provisioning is enabled: * The Floating Server establishes a connection to the YubiKey on startup and uses it for all cryptographic operations. * If the hardware key is disconnected while the server is running, the server shuts down gracefully. * Only licenses with the **Required Hardware Key** option enabled in the LicenseSpring Platform are accepted by a hardware key–provisioned server. Hardware key provisioning is configured via the LicenseSpring Vendor Platform and reflected in the server's `default.yaml` configuration file. ## What the SDK Verifies LicenseSpring SDKs verify the authenticity of every Floating Server response. The following checks are performed on each response: * The response signature is cryptographically valid. * The signing certificate chains back to the LicenseSpring trusted root CA. * The trusted root is specifically the LicenseSpring root , not just any valid CA. * Certificate validity period and policy constraints are checked where applicable. These checks are part of the standard SDK integration and are performed automatically. All LicenseSpring SDKs that support the Floating Server perform this validation. ## Out of Scope The provisioning process establishes cryptographic identity for the Floating Server. The following capabilities fall outside its scope, but LicenseSpring provides dedicated mechanisms to address each one. ### Host Binding The provisioning process does not bind the Floating Server to a specific physical machine. Host binding is enforced at the license level. When a license is activated through the Floating Server, LicenseSpring uses the machine's hardware ID to bind that license to the specific host, this is what controls where the software runs. For deployments requiring stronger physical enforcement, hardware key provisioning (YubiKey) provides an additional layer of binding: the server will not operate unless the designated hardware key is physically present. ### Preventing License Entitlement Duplication License entitlement protection is enforced at the license level by LicenseSpring, independently of the server provisioning process. Licenses are bound to hardware IDs, and this binding is what prevents unauthorized duplication of entitlements across environments. Vendors can further strengthen entitlement controls using the following LicenseSpring capabilities: * **Hardware ID binding** ties each activated license to a specific machine, enforced by the LicenseSpring Platform. * **Max activations** on a floating license controls how many distinct Floating Server instances may hold that license simultaneously. * **Periodic online sync** ensures each Floating Server re-validates its license state with the LicenseSpring Cloud at a configurable interval (between 5 minutes and 24 hours). ### Revocation and Access Control Certificate revocation is not enforced as part of the provisioning process. LicenseSpring provides the following controls to manage server access and limit exposure: * **Certificate expiry:** Set an expiration date when provisioning a server instance via the LicenseSpring Platform to limit how long a certificate remains valid. * **License expiry:** Configure license expiry on the floating license to control how long a Floating Server deployment remains authorized. * **Periodic online sync:** Require the Floating Server to re-validate its license state against the LicenseSpring Cloud at regular intervals, ensuring any changes to license status are enforced promptly. * **License revocation:** Administrators can forcibly release floating license registrations from the LicenseSpring Platform or End User Portal, immediately freeing up capacity and blocking continued use.