AWS HSM – Upload Private Key

AWS CloudHSM lets you manage and access your keys on FIPS-validated hardware, protected with customer-owned, single-tenant HSM instances that run in your own Virtual Private Cloud (VPC).

Describe HSM cluster:

aws cloudhsmv2 describe-clusters --region=eu-east-1

Generate private key to initialize HSM cluster:

openssl genrsa -aes256 -out customerCA.key 2048

Generate public certificate to initialize HSM cluster:

openssl req -new -x509 -days 3652 -key customerCA.key -out customerCA.crt

Generate HSM Cluster certificate file to initialize HSM cluster:

Note: CSR file will be provided by cloud HSM

openssl x509 -req -days 3652 -in cluster-xxx_ClusterCsr.csr \ -CA customerCA.crt \ -CAkey customerCA.key \ -CAcreateserial \ -out cluster-xxx_CustomerHsmCertificate.crt

Initializing the HSM cluster:

aws cloudhsmv2 initialize-cluster --region eu-east-1 --cluster-id cluster-hotdxipqgvu \ --signed-cert file://cluster-hotdxipqgvu_CustomerHsmCertificate.crt \ --trust-anchor file://customerCA.crt

CMU (Cloud HSM Management Util)

To connect Cluster and get access to CMU:

sudo /opt/cloudhsm/bin/configure --cmu xx.xx.xx.xx /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg

Login to the HSM cluster as an admin and create and log in as a crypto user (CU):

loginHSM CO admin -hpswd createUser CU platform changeit loginHSM CU platform -hpswd password : your_password

KMU (Key Management Util)

Connect to HSM Cluster and get access to KMU:

sudo /opt/cloudhsm/bin/configure -a xx.xx.xx.xx sudo /opt/cloudhsm/bin/key_mgmt_util

Login as a CU user and Generate symmetric wrapper key handle and import private key into HSM cluster:

loginHSM -u CU -s platform -p your_password genSymKey -t 31 -s 16 -sess -l import-wrapping-key importPrivateKey -f MY_HSM_01.key -l my_bcs_hsm -w 123

Here 123 is the key handle which will generated by SymKey (2 point), when ever

When you are unable to connect to either CMU or KMU then follow below steps

To restart the cloud HSM client:

sudo systemctl is-active cloudhsm-client sudo systemctl stop cloudhsm-client sudo /opt/cloudhsm/bin/configure -a xx.xx.xx.xx sudo systemctl start cloudhsm-client

  1. rename the cert name from p7c format to p7b format using bash (mv MY_HSM_01.p7c MY_HSM_01.p7b)
  2. convert p7b format to .crt/.cer format using windows cert manager (certmgr.msc)
  3. export .cer file from cert manager to local folder
  4. configure .cer file into bcs-hsm-client project

To upload HSM certificate:

Keeping HSM Private key into Local:

  1. consume private .key file and convert into .der format and store it resources folder
  2. rename .key to .pem file format using bash

openssl pkcs8 -topk8 -in MY_HSM_01.pem -out MY_HSM_01.pem -nocrypt

openssl pkcs8 -topk8 -inform PEM -outform DER -in MY_HSM.pem -out MY_HSM.der -nocrypt

Leave a Reply

Your email address will not be published. Required fields are marked *