diff --git a/handler/generate_certificate.go b/handler/generate_certificate.go
index e4d6dba8143d4d16fcef6f6f3cf45f2aead8c02d..07caca54c709261075ae497db352e848c7c74f95 100644
--- a/handler/generate_certificate.go
+++ b/handler/generate_certificate.go
@@ -47,18 +47,7 @@ func (s *KeyStorageServerImpl) GenerateCertificate(ctx context.Context, in *api.
 
 	generateCertificateResponse := &api.GenerateCertificateResponse{}
 
-	// Get and decrypt aes key
-	encryptedAesKeyMessage := &api.Key{}
-	data, _ := client.DoGetDataCall("keys", in.Uuid+"/aeskey")
-	if data.Errors != "" {
-		generateCertificateResponse.StatusList = utils.AddStatus(generateCertificateResponse.StatusList,
-			"400", api.StatusType_ERROR, data.Errors)
-		return generateCertificateResponse, nil
-	}
-
-	proto.Unmarshal(data.Data.Data, encryptedAesKeyMessage)
-
-	aesKeyBytes, err := rsaDecryptWithServerKey(s.VereignPrivateKeyFilePath, encryptedAesKeyMessage.Content, []byte("aeskeys"))
+	aesKeyBytes, err := rsaDecryptWithServerKey(s.VereignPrivateKeyFilePath, in.EncryptedAesKey, []byte("aeskeys"))
 	if err != nil {
 		generateCertificateResponse.StatusList = utils.AddStatus(generateCertificateResponse.StatusList,
 			"400", api.StatusType_ERROR, err.Error())
@@ -67,7 +56,7 @@ func (s *KeyStorageServerImpl) GenerateCertificate(ctx context.Context, in *api.
 
 	// Get and decrypt rsa private key
 	encryptedPrivateKeyMessage := &api.Key{}
-	data, _ = client.DoGetDataCall("keys", in.Uuid+"/"+api.KeyType.String(api.KeyType_PRIVATE))
+	data, _ := client.DoGetDataCall("keys", in.Uuid+"/"+api.KeyType.String(api.KeyType_PRIVATE))
 	if data.Errors != "" {
 		generateCertificateResponse.StatusList = utils.AddStatus(generateCertificateResponse.StatusList,
 			"400", api.StatusType_ERROR, data.Errors)
@@ -75,16 +64,7 @@ func (s *KeyStorageServerImpl) GenerateCertificate(ctx context.Context, in *api.
 	}
 	proto.Unmarshal(data.Data.Data, encryptedPrivateKeyMessage)
 
-	nonce := &api.Key{}
-	data, _ = client.DoGetDataCall("keys", in.Uuid+"/privatekey_nonce")
-	if data.Errors != "" {
-		generateCertificateResponse.StatusList = utils.AddStatus(generateCertificateResponse.StatusList,
-			"400", api.StatusType_ERROR, data.Errors)
-		return generateCertificateResponse, nil
-	}
-	proto.Unmarshal(data.Data.Data, nonce)
-
-	privateKeyBytes, err := aesDecrypt(aesKeyBytes, nonce.Content, encryptedPrivateKeyMessage.Content)
+	privateKeyBytes, err := aesDecrypt(aesKeyBytes, in.PrivateKeyNonce, encryptedPrivateKeyMessage.Content)
 	if err != nil {
 		generateCertificateResponse.StatusList = utils.AddStatus(generateCertificateResponse.StatusList,
 			"400", api.StatusType_ERROR, err.Error())
@@ -101,16 +81,7 @@ func (s *KeyStorageServerImpl) GenerateCertificate(ctx context.Context, in *api.
 	}
 	proto.Unmarshal(data.Data.Data, encryptedPublicKeyMessage)
 
-	nonce = &api.Key{}
-	data, _ = client.DoGetDataCall("keys", in.Uuid+"/publickey_nonce")
-	if data.Errors != "" {
-		generateCertificateResponse.StatusList = utils.AddStatus(generateCertificateResponse.StatusList,
-			"400", api.StatusType_ERROR, data.Errors)
-		return generateCertificateResponse, nil
-	}
-	proto.Unmarshal(data.Data.Data, nonce)
-
-	publicKeyBytes, err := aesDecrypt(aesKeyBytes, nonce.Content, encryptedPublicKeyMessage.Content)
+	publicKeyBytes, err := aesDecrypt(aesKeyBytes, in.PublicKeyNonce, encryptedPublicKeyMessage.Content)
 	if err != nil {
 		generateCertificateResponse.StatusList = utils.AddStatus(generateCertificateResponse.StatusList,
 			"400", api.StatusType_ERROR, err.Error())
diff --git a/handler/generate_keypair.go b/handler/generate_keypair.go
index 8e2ef25340faad611d2d58c4eb5a5d20b081aacd..0b106cd0e7c58d9b59b82a9b8fcb1709b26ddf5e 100644
--- a/handler/generate_keypair.go
+++ b/handler/generate_keypair.go
@@ -58,37 +58,21 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context, in *api.Gene
 		generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList,
 			"500", api.StatusType_ERROR, err.Error())
 	}
-	encryptedAesKeyBytes, err := rsaEncryptWithServerKey(s.VereignCertFilePath, aesKeyBytes, []byte("aeskeys"))
+
+	encryptedPrivateKeyBytes, privateKeyNonce, err := aesEncrypt(aesKeyBytes, privateKeyBytes)
 	if err != nil {
 		generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList,
 			"500", api.StatusType_ERROR, err.Error())
 		return generateKeyPairResponse, nil
 	}
-
-	encryptedAesKey := &api.Key{Content: encryptedAesKeyBytes}
-
-	result, errors, err := client.DoPutDataCall("keys", uuid+"/aeskey", encryptedAesKey, versions.EntitiesManagementAgentApiVersion)
+	encryptedPrivateKey := &api.Key{Content: encryptedPrivateKeyBytes}
+	result, errors, err := client.DoPutDataCall("keys", uuid+"/"+api.KeyType.String(api.KeyType_PRIVATE), encryptedPrivateKey, versions.EntitiesManagementAgentApiVersion)
 	generateKeyPairResponse.StatusList = handlePutDataErrors(generateKeyPairResponse.StatusList, errors, err)
 
+	publicKeyNonce := []byte{}
 	if generateKeyPairResponse.StatusList == nil || len(generateKeyPairResponse.StatusList) == 0 {
-		encryptedPrivateKeyBytes, nonce, err := aesEncrypt(aesKeyBytes, privateKeyBytes)
-		if err != nil {
-			generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList,
-				"500", api.StatusType_ERROR, err.Error())
-			return generateKeyPairResponse, nil
-		}
-		encryptedPrivateKey := &api.Key{Content: encryptedPrivateKeyBytes}
-		result, errors, err = client.DoPutDataCall("keys", uuid+"/"+api.KeyType.String(api.KeyType_PRIVATE), encryptedPrivateKey, versions.EntitiesManagementAgentApiVersion)
-		generateKeyPairResponse.StatusList = handlePutDataErrors(generateKeyPairResponse.StatusList, errors, err)
-		if generateKeyPairResponse.StatusList == nil || len(generateKeyPairResponse.StatusList) == 0 {
-			nonceMessage := &api.Key{Content: nonce}
-			result, errors, err = client.DoPutDataCall("keys", uuid+"/privatekey_nonce", nonceMessage, versions.EntitiesManagementAgentApiVersion)
-			generateKeyPairResponse.StatusList = handlePutDataErrors(generateKeyPairResponse.StatusList, errors, err)
-		}
-	}
-
-	if generateKeyPairResponse.StatusList == nil || len(generateKeyPairResponse.StatusList) == 0 {
-		encryptedPublicKeyBytes, nonce, err := aesEncrypt(aesKeyBytes, publicKeyBytes)
+		encryptedPublicKeyBytes, publicKeyNonceLocal, err := aesEncrypt(aesKeyBytes, publicKeyBytes)
+		publicKeyNonce = publicKeyNonceLocal
 		if err != nil {
 			generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList,
 				"500", api.StatusType_ERROR, err.Error())
@@ -97,15 +81,20 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context, in *api.Gene
 		encryptedPublicKey := &api.Key{Content: encryptedPublicKeyBytes}
 		result, errors, err = client.DoPutDataCall("keys", uuid+"/"+api.KeyType.String(api.KeyType_PUBLIC), encryptedPublicKey, versions.EntitiesManagementAgentApiVersion)
 		generateKeyPairResponse.StatusList = handlePutDataErrors(generateKeyPairResponse.StatusList, errors, err)
-		if generateKeyPairResponse.StatusList == nil || len(generateKeyPairResponse.StatusList) == 0 {
-			nonceMessage := &api.Key{Content: nonce}
-			result, errors, err = client.DoPutDataCall("keys", uuid+"/publickey_nonce", nonceMessage, versions.EntitiesManagementAgentApiVersion)
-			generateKeyPairResponse.StatusList = handlePutDataErrors(generateKeyPairResponse.StatusList, errors, err)
-		}
+	}
+
+	encryptedAesKeyBytes, err := rsaEncryptWithServerKey(s.VereignCertFilePath, aesKeyBytes, []byte("aeskeys"))
+	if err != nil {
+		generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList,
+			"500", api.StatusType_ERROR, err.Error())
+		return generateKeyPairResponse, nil
 	}
 
 	if generateKeyPairResponse.StatusList == nil || len(generateKeyPairResponse.StatusList) == 0 {
 		generateKeyPairResponse.Uuid = uuid
+		generateKeyPairResponse.EncryptedAesKey = encryptedAesKeyBytes
+		generateKeyPairResponse.PrivateKeyNonce = privateKeyNonce
+		generateKeyPairResponse.PublicKeyNonce = publicKeyNonce
 		generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList,
 			"200", api.StatusType_INFO, result)
 	}
diff --git a/server/server_test.go b/server/server_test.go
index 33f1aa4d0e21242e0f5dc38e3b171c25c5b12147..aded86e9ddb5eecf3eda86d5b808103e96c093fc 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -155,7 +155,7 @@ func TestGenerateKeyPairAndCertificate(t *testing.T) {
 	keyStorageClient.SetUpClient(keyStorageAuth, keyStorageGrpcAddress, certFilePath)
 	defer keyStorageClient.CloseClient()
 
-	uuid, statusList, _ := keyStorageClient.DoGenerateKeyPair(2048)
+	uuid, encryptedAesKey, privateKeyNonce, publicKeyNonce, statusList, _ := keyStorageClient.DoGenerateKeyPair(2048)
 	for _, status := range statusList {
 		if status.StatusType == ksapi.StatusType_ERROR {
 			t.Errorf("DoGenerateKeyPair, returned error: %s.", status.Code+":"+status.Description)
@@ -214,7 +214,7 @@ func TestGenerateKeyPairAndCertificate(t *testing.T) {
 		Host:               "abcde.com",
 	}
 
-	statusList, _ = keyStorageClient.DoGenerateCertificate(uuid, certificateData)
+	statusList, _ = keyStorageClient.DoGenerateCertificate(uuid, certificateData, encryptedAesKey, privateKeyNonce, publicKeyNonce)
 	for _, status := range statusList {
 		if status.StatusType == ksapi.StatusType_ERROR {
 			t.Errorf("DoGenerateCertificate, returned error: %s.", status.Code+":"+status.Description)