2 - Use OpenSSL to Validate the HSM

To start using the HSM, you have to sign a Cluster CSR using a CA. Since EJBCA is setup to be a CA but the keys are not in an HSM, yet we are trying to create an HSM. This seems like a predicament.

Per Amazon: “The certificate is used by the software libraries for authentication when you access the HSM via cloudhsm_mgmt_util. For example, for the older version i.e. CloudHSM Classic, to login to the HSM, customer's must use SSH authentication to login as manager user [2]. Hence, I believe you can consider the private key/certificate you used to sign the CSR similar to a private key of a SSH key pair. Even if you even use other HSMs, you have to use soft keystore somewhere.”

With that in mind we are proceeding as follows to create the CSR and generate they key pair.

  1. Download the 4 certificates in the links in the UI:

    There will be 4 files that look like the following:


  2. Copy these certificates to the EJBCA instance. The prefix of the file is the cluster ID. For example, this cluster ID is cluster-ijd53hj4zdv_file-type. In the example below we will show it for the CSR but you will need to copy each of these files. You can also use your preferred SCP client:
    # scp -i ~/Documents/C2\ Comp/PrimeKey/EC2\ Creds/c2-ssh/c2-ssh.pem ec2-user@ec2-34-229-187-81.compute-1.amazonaws.com:/home/ec2-user cluster-ijd53hj4zdv_ClusterCsr.csr ~/Downloads/cluster-ijd53hj4zdv_ClusterCsr.csr


  3. Use OpenSSL to create a key to validate the HSM. This command asks for a password to protect the key and you may use the instance ID or another password of your choosing.

    # openssl genrsa -aes256 -out customerCA.key 2048
  4. Create a self signed issuing cert with the key created. This command asks for values for the cert (country code, location, etc.) and you can populate them or press Enter to leave them blank. You must populate at least one value.
    # openssl req -new -x509 -days 3652 -key customerCA.key -out customerCA.crt
  5. Sign the CSR with the issuing cert and key. Be sure to change the CSR (after the -in value) to be the one that was downloaded from your HSM cluster.  
    This command creates a file named CustomerHsmSignedCertificate.crt. Use this file as the signed certificate when you initialize the cluster.
    # openssl x509 -req -days 3652 -in cluster-ijd53hj4zdv_ClusterCsr.csr \
                                  -CA customerCA.crt \
                                  -CAkey customerCA.key \
                                  -CAcreateserial \
                                  -out CustomerHsmSignedCertificate.crt