{"id":53,"date":"2024-03-23T07:09:29","date_gmt":"2024-03-23T07:09:29","guid":{"rendered":"https:\/\/psahni.com\/?p=53"},"modified":"2024-03-28T11:11:42","modified_gmt":"2024-03-28T11:11:42","slug":"aws-hsm-upload-private-key","status":"publish","type":"post","link":"https:\/\/psahni.com\/?p=53","title":{"rendered":"AWS HSM – Upload Private Key"},"content":{"rendered":"\n

AWS CloudHSM lets you manage and access your keys on FIPS-validated hardware, protected with customer-owned, single-tenant HSM instances that run in your own Virtual Private Cloud (VPC).<\/p>\n\n\n\n

Describe HSM cluster:<\/h4>\n\n\n\n

aws cloudhsmv2 describe-clusters --region=eu-east-1<\/code><\/p>\n\n\n\n

Generate private key to initialize HSM cluster:<\/h4>\n\n\n\n

openssl genrsa -aes256 -out customerCA.key 2048<\/code><\/p>\n\n\n\n

Generate public certificate to initialize HSM cluster:<\/h4>\n\n\n\n

openssl req -new -x509 -days 3652 -key customerCA.key -out customerCA.crt<\/code><\/p>\n\n\n\n

Generate HSM Cluster certificate file to initialize HSM cluster:<\/h4>\n\n\n\n
Note: CSR file will be provided by cloud HSM<\/h6>\n\n\n\n

openssl x509 -req -days 3652 -in cluster-xxx_ClusterCsr.csr \\ -CA customerCA.crt \\ -CAkey customerCA.key \\ -CAcreateserial \\ -out cluster-xxx_CustomerHsmCertificate.crt<\/code><\/p>\n\n\n\n

Initializing the HSM cluster:<\/h4>\n\n\n\n

aws cloudhsmv2 initialize-cluster --region eu-east-1 --cluster-id cluster-hotdxipqgvu \\ --signed-cert file:\/\/cluster-hotdxipqgvu_CustomerHsmCertificate.crt \\ --trust-anchor file:\/\/customerCA.crt<\/code><\/p>\n\n\n\n

CMU (Cloud HSM Management Util)<\/h4>\n\n\n\n
To connect Cluster and get access to CMU:<\/h6>\n\n\n\n

sudo \/opt\/cloudhsm\/bin\/configure --cmu xx.xx.xx.xx \/opt\/cloudhsm\/bin\/cloudhsm_mgmt_util \/opt\/cloudhsm\/etc\/cloudhsm_mgmt_util.cfg<\/code><\/p>\n\n\n\n

Login to the HSM cluster as an admin and create and log in as a crypto user (CU):<\/h6>\n\n\n\n

loginHSM CO admin -hpswd createUser CU platform changeit loginHSM CU platform -hpswd password : <\/code>your_password<\/p>\n\n\n\n

KMU (Key Management Util)<\/h4>\n\n\n\n
Connect to HSM Cluster and get access to KMU:<\/h6>\n\n\n\n

sudo \/opt\/cloudhsm\/bin\/configure -a xx.xx.xx.xx<\/code> sudo \/opt\/cloudhsm\/bin\/key_mgmt_util<\/code><\/p>\n\n\n\n

Login as a CU user and Generate symmetric wrapper key handle and import private key into HSM cluster:<\/h6>\n\n\n\n

loginHSM -u CU -s platform -p your_password genSymKey -t 31 -s 16 -sess -l import-wrapping-key importPrivateKey -f MY_HSM_01.key -l my_bcs_hsm -w <\/code>123<\/p>\n\n\n\n

Here 123 is the key handle which will generated by SymKey (2 point), when ever<\/p>\n\n\n\n

When you are unable to connect to either CMU or KMU then follow below steps<\/h5>\n\n\n\n

To restart the cloud HSM client:<\/h4>\n\n\n\n

sudo systemctl is-active cloudhsm-client sudo systemctl stop cloudhsm-client sudo \/opt\/cloudhsm\/bin\/configure -a xx.xx.xx.xx<\/code><\/code> sudo systemctl start cloudhsm-client<\/code><\/p>\n\n\n\n

    \n
  1. rename the cert name from p7c format to p7b format using bash (mv MY_HSM_01.p7c MY_HSM_01.p7b)<\/li>\n\n\n\n
  2. convert p7b format to .crt\/.cer format using windows cert manager (certmgr.msc)<\/li>\n\n\n\n
  3. export .cer file from cert manager to local folder<\/li>\n\n\n\n
  4. configure .cer file into bcs-hsm-client project<\/li>\n<\/ol>\n\n\n\n

    To upload HSM certificate:<\/p>\n\n\n\n

    Keeping HSM Private key into Local:<\/strong><\/p>\n\n\n\n

      \n
    1. consume private .key file and convert into .der format and store it resources folder<\/li>\n\n\n\n
    2. rename .key to .pem file format using bash<\/li>\n<\/ol>\n\n\n\n

      openssl pkcs8 -topk8 -in MY_HSM_01.pem -out MY_HSM_01.pem -nocrypt<\/p>\n\n\n\n

      openssl pkcs8 -topk8 -inform PEM -outform DER -in MY_HSM.pem -out MY_HSM.der -nocrypt<\/p>\n","protected":false},"excerpt":{"rendered":"

      AWS CloudHSM lets you manage and access your keys on FIPS-validated hardware, protected with customer-owned, single-tenant HSM instances that run in your own Virtual Private Cloud (VPC). Describe HSM cluster: aws cloudhsmv2 describe-clusters –region=eu-east-1 Generate private key to initialize HSM cluster: openssl genrsa -aes256 -out customerCA.key 2048 Generate public certificate to initialize HSM cluster: openssl […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[1],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/psahni.com\/index.php?rest_route=\/wp\/v2\/posts\/53"}],"collection":[{"href":"https:\/\/psahni.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/psahni.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/psahni.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/psahni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=53"}],"version-history":[{"count":3,"href":"https:\/\/psahni.com\/index.php?rest_route=\/wp\/v2\/posts\/53\/revisions"}],"predecessor-version":[{"id":71,"href":"https:\/\/psahni.com\/index.php?rest_route=\/wp\/v2\/posts\/53\/revisions\/71"}],"wp:attachment":[{"href":"https:\/\/psahni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=53"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/psahni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=53"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/psahni.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=53"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}