This covers signing the CSR with a key backed in AWS KMS.

Prerequisites

Have your cluster CSR ready and your AWS client configured with access to KMS. For more information on configuring your AWS CLI, refer to the AWS Documentation Configuring the AWS CLI.

Use KMS to Validate the HSM

To sign the CSR with a key backed in AWS KMS:

  1. Create a KMS customer-managed key (CMK) to sign the CSR:

    aws kms create-key --description "CloudHSM customerCA.crt encryption key"
    BASH

    Output example:

    {
"KeyMetadata": {
"AWSAccountId": "429127456234",
"KeyId": "53aed673-9490-4f1c-a716-567eedd07827",
"Arn": "arn:aws:kms:us-east-2:<AWS ACCOUNT ID>:key/53aed673-9490-4f1c-a716-567eedd07827",
"CreationDate": "2021-01-11T19:53:15.652000+00:00",
"Enabled": true,
"Description": "CloudHSM customerCA.crt key encryption key",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
    TEXT

  2. Get the keyID with jq:

    aws kms create-key --description "CloudHSM customerCA.crt encryption key" | jq -r '.[] .KeyId'
    BASH

    Output example:

    53aed673-9490-4f1c-a716-567eedd07827

  3. Create an Alias for KMS key so it can be referenced more easily:

    • If you use a different alias from "alias/cloudhsm-customerCA-key-encryption-key", be sure to change the alias in all of the commands that follow. 
    • For --target-key-id, use the output of the keyID from the previous create-key command above.
    aws kms create-alias --alias-name "alias/cloudhsm-customerCA-key-encryption-key" --target-key-id "53aed673-9490-4f1c-a716-567eedd07827"
    BASH

    Output example: (none)

  4. Create an encrypted Root key used to sign the certificate and get the CipherTextBlob:

    aws kms generate-data-key-pair-without-plaintext --key-id "alias/cloudhsm-customerCA-key-encryption-key" --key-pair-spec RSA_2048
    BASH

    Output:

    {
"PrivateKeyCiphertextBlob": "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAgEAMIIFCwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthyadayadayada0ToUEOpkQv6VxwWIWpuK7LEnEpf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4yadayadayadaDKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zz8qoURtXx+2Vhyadayadayada/79wU7UkvKNrroWdv/q7z4KAQKU1DyikyadayadayadaSwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhmgVO0M+Ft7S5SGIgZYskZonT+myGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnyadayadayada+S2cgseCaRo18tOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmyadayadayada8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RAKj2PdQ52VLyL4KxIQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqikXXsqFb4yNDXkT5ebwFebmfJO5jpDABUENdVrR1le96MxycGnC56uWzRyadayadayadaJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTUeVGi+MNOYFz3NDq9neYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3Vyadayadayada+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=",
"PublicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD4bFNUbYv+8sUx+XsWClejUdYiNea1yadayadayada5V5DdX9XreRFTToPmO1SiDGnCXDC8XB9YiSe5d6BuQqHxcJ6W7zxDZU1PgY7omI8ZJazlfFq+C2EHp3DnNRx3Pu7NQjocJNib6OfkrNmuCJqlUEilvHsRPUBaM6W16FpnjDyqKEj4w/tChzxIs6asEVQDm6rv6+e/qc04ziR4wgxwlmBKQ7Nr8yAjJszFlxmXG2kCjQ27uLHvK6D5tDyboj0WD1nwWX5PG6PmtZxY8tYYOjFBwI/lzJRQMsstaUC0Y+05yadayadayadag+E/2SzNBhMsRroNMSx8sxWGrDwQIDAQAB",
"KeyId": "arn:aws:kms:us-east-2:429127456234:key/53aed673-9490-4f1c-a716-567eedd07827",
"KeyPairSpec": "RSA_2048"
}
    TEXT

  5. Get the key in binary format.

    Put the PrivateKeyCiphertextBlob into the following command line in its raw form:

    aws kms decrypt \
--ciphertext-blob "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAyadayadayadavcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthK3p7QfqITKdfutHCQ3TJ0ToUEyadayadayadaf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4ZTAt22dOs1KF3HpIL2nQQqlYSp7U9DKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zzyadayadayadaBy7vn19uxYhNNlzk/79wU7UkvKNrroWdv/q7z4KAQKU1Dyikl0ZpVjRr3xr2E7SwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhyadayadayadamyGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnf7uiJ5H5dZyadayadayadatOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmXUoyq8JsStWpRC8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RyadayadayadaQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqiyadayadayadaFebmfJO5jpDABUENdVrR1le96MxycGyadayadayadaCNmtlQmYJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTyadayadayadaYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3VdlFZwRIKAdDbk+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=" \
--key-id "alias/cloudhsm-customerCA-key-encryption-key" \
--output text \
--query Plaintext | base64 --decode
    BASH

  6. Create the CA certificate with the KMS private key.

    aws kms decrypt \
--ciphertext-blob "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAgEAMIIFCwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthK3p7QfqITKdfutHCQ3TJ0ToUEOpkQv6VxwWIWpuK7LEnEpf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4ZTAt22dOs1KF3HpIL2nQQqlYSp7U9DKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zz8qoURtXx+2VhybBy7vn19uxYhNNlzk/79wU7UkvKNrroWdv/q7z4KAQKU1Dyikl0ZpVjRr3xr2E7SwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhmgVO0M+Ft7S5SGIgZYskZonT+myGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnf7uiJ5H5dZ+S2cgseCaRo18tOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmXUoyq8JsStWpRC8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RAKj2PdQ52VLyL4KxIQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqikXXsqFb4yNDXkT5ebwFebmfJO5jpDABUENdVrR1le96MxycGnC56uWzRfKwVTEaCNmtlQmYJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTUeVGi+MNOYFz3NDq9neYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3VdlFZwRIKAdDbk+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=" \
--key-id "alias/cloudhsm-customerCA-key-encryption-key" \
--output text \
--query Plaintext | base64 --decode | \
openssl req -x509 -new -nodes -sha256 -days 3652 -out customerCA.crt -key /dev/stdin -keyform der -subj /CN="CloudHSMClusterCA"
    BASH

    Output: None on terminal. 

    This command will output the customerCA.crt file to disk which will be used in the CloudHSM client configuration once the cluster certificate is signed and uploaded.

  7. Sign HSM CSR with KMS key. (warning) Change <CLUSTER-ID> to your cluster ID you are signing.

    aws kms decrypt --ciphertext-blob "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAgEAMIIFCwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthK3p7QfqITKdfutHCQ3TJ0ToUEOpkQv6VxwWIWpuK7LEnEpf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4ZTAt22dOs1KF3HpIL2nQQqlYSp7U9DKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zz8qoURtXx+2VhybBy7vn19uxYhNNlzk/79wU7UkvKNrroWdv/q7z4KAQKU1Dyikl0ZpVjRr3xr2E7SwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhmgVO0M+Ft7S5SGIgZYskZonT+myGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnf7uiJ5H5dZ+S2cgseCaRo18tOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmXUoyq8JsStWpRC8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RAKj2PdQ52VLyL4KxIQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqikXXsqFb4yNDXkT5ebwFebmfJO5jpDABUENdVrR1le96MxycGnC56uWzRfKwVTEaCNmtlQmYJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTUeVGi+MNOYFz3NDq9neYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3VdlFZwRIKAdDbk+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=" --key-id "alias/cloudhsm-customerCA-key-encryption-key" --output text --query Plaintext | base64 --decode | openssl x509 -req -in cluster-r7xmtu3g5v4_ClusterCsr.csr -CA customerCA.crt -CAkey /dev/stdin -CAkeyform der -CAcreateserial -out cluster-<CLUSTER-ID>_CustomerHsmCertificate.crt -days 3652 -sha256
    BASH

    Output:

    Signature ok
subject=/C=US/ST=CA/O=Cavium/OU=N3FIPS/L=SanJose/CN=HSM:B1BF80C1755B426103C4BA244B3381:PARTN:3, for FIPS mode
Getting CA Private Key
    BASH

    This command will output the file cluster-<CLUSTER-ID>_CustomerHsmCertificate.crt. Take this file along with the customerCA.crt file generated previously and upload it to the cluster in the next section, Section 3 - Initialize CloudHSM.