CloudHSM Liquidsec Key Conversion - Important pre 2.6 Notes
Overview
With EJBCA 7.5.0 came a new integration with CloudHSM that is much more traditional than the previous methods of CloudHSM/EJBCA integration. In the past, EJBCA had to use a custom provider to handle public key material due to some early releases of CloudHSM. As CloudHSM has evolved, it has allowed PrimeKey to change how it integrates, creating a much more native HSM experience with EJBCA talking directly to the AWS CloudHSM provider. This will allow things like cluster joins to happen more seamlessly, since the public key will exist on the HSM. EJBCA will then see the public/private keypair and use those keys to generate certificates for the local EJBCA node at join time.
Public Key Conversion
Users of EJBCA Cloud before 2.6 and EJBCA 7.5.0 need to convert their public keys that were previously stored on the local disk of the EJBCA host and import them into CloudHSM. These files were located in the /opt/ejbca/.liquidsec
directory and labeled something equivalent to 10001.testKeyManagementca. These keys need to be imported into the HSM for P11NG to be able to read the HSM keys properly. You only need to perform this step once, for each key that EJBCA uses and you should do this on one of the existing nodes you are using. Once these steps have been performed for all relevant CA keys (ManagementCA, Issuing, Root, etc.), the cluster join feature can be used in the Configuration Wizard.
Convert "liquidsec" Keys
To convert the "liquidsec" keys, do the following:
Convert the public key to PEM format:
openssl x509 -pubkey -inform DER -in /opt/ejbca/.liquidsec/10001.testKeyManagementca.crt -outform PEM > /opt/ejbca/.liquidsec/10001.testKeyManagementca.crt.pubout.pem
CODEImport the public key/certificate PEM into CloudHSM, making sure to set the key ID to the same one that it was created with.
importPubKey -l testKeyManagementca -f /opt/ejbca/.liquidsec/10001.testKeyManagementca.crt.pubout.pem -id testKeyManagementca
CODEVerify the key pair according to the instructions in step 10 - Verify the Keypair for use with EJBCA.
If you need to validate the key ID/label on CloudHSM you can do that by listing the keys. List all keys and determine what the key handle is using "findKey". If you have more than one key, it is good to get the list of key IDs beforehand so you know exactly what ID to use when adding the public key to the HSM:
# /opt/cloudhsm/bin/key_mgmt_util # loginHSM -u CU -s <USER> -p <PASSWORD> # findKey ## Look for the handle of a key # Handles of matching keys: 7077894, 7077896, 7077899, 7077901, 7077903, 7077905, 7077906, 7077907, 7077913, 7077931, 7077939, 7079144, 7079362, 7080292, 7081144, 7081185
CODECheck attribute of the ID of the key using attribute 354 (changing "-o 7077894" to the handle of the key on the HSM):
getAttribute -a 258 -o 7077894 -out /dev/tty
CODEOutput:
OBJ_ATTR_ID testKeyManagementca
CODEUse attribute 512 to list all attributes.