To start using the HSM, it is required to sign a Cluster CSR using a CA certificate and key. Since EJBCA is set up to be a CA but the signing keys are not created in an HSM that we have yet to configure, we can use OpenSSL or KMS to sign this key.  KMS is a FIPS 140-2 Level 2 validated Key Management Service that can safely protect this key. 

Amazon describes the CSR signing process as the following:

The certificate is used by the software libraries for authentication when you access the HSM via cloudhsm_mgmt_util. For example, for the older version i.e. CloudHSM Classic, to login to the HSM, customer's must use SSH authentication to login as manager user [2]. Hence, I believe you can consider the private key/certificate you used to sign the CSR similar to a private key of a SSH key pair. Even if you even use other HSMs, you have to use soft keystore somewhere.”

If it is desired to sign the CSR with a key backed in AWS KMS, proceed to section 2a - Using KMS to Validate the HSM. If it is desired to use OpenSSL to generate a key on disk and validate the HSM, proceed to section 2b - Use OpenSSL to Validate the HSM.