2a - Using KMS to Validate the HSM
This covers signing the CSR with a key backed in AWS KMS.
Prerequisites
Have your cluster CSR ready and your AWS client configured with access to KMS. For more information on configuring your AWS CLI, refer to the AWS Documentation Configuring the AWS CLI.
Use KMS to Validate the HSM
To sign the CSR with a key backed in AWS KMS:
Create a KMS customer-managed key (CMK) to sign the CSR:
BASHaws kms create-key --description "CloudHSM customerCA.crt encryption key"
Output example:
TEXT{ "KeyMetadata": { "AWSAccountId": "429127456234", "KeyId": "53aed673-9490-4f1c-a716-567eedd07827", "Arn": "arn:aws:kms:us-east-2:<AWS ACCOUNT ID>:key/53aed673-9490-4f1c-a716-567eedd07827", "CreationDate": "2021-01-11T19:53:15.652000+00:00", "Enabled": true, "Description": "CloudHSM customerCA.crt key encryption key", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ] } }
Get the keyID with jq:
BASHaws kms create-key --description "CloudHSM customerCA.crt encryption key" | jq -r '.[] .KeyId'
Output example:
53aed673-9490-4f1c-a716-567eedd07827
Create an Alias for KMS key so it can be referenced more easily:
- If you use a different alias from "alias/cloudhsm-customerCA-key-encryption-key", be sure to change the alias in all of the commands that follow.
- For
--target-key-id,
use the output of the keyID from the previouscreate-key
command above.
BASHaws kms create-alias --alias-name "alias/cloudhsm-customerCA-key-encryption-key" --target-key-id "53aed673-9490-4f1c-a716-567eedd07827"
Output example: (none)
Create an encrypted Root key used to sign the certificate and get the CipherTextBlob:
BASHaws kms generate-data-key-pair-without-plaintext --key-id "alias/cloudhsm-customerCA-key-encryption-key" --key-pair-spec RSA_2048
Output:
TEXT{ "PrivateKeyCiphertextBlob": "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAgEAMIIFCwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthyadayadayada0ToUEOpkQv6VxwWIWpuK7LEnEpf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4yadayadayadaDKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zz8qoURtXx+2Vhyadayadayada/79wU7UkvKNrroWdv/q7z4KAQKU1DyikyadayadayadaSwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhmgVO0M+Ft7S5SGIgZYskZonT+myGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnyadayadayada+S2cgseCaRo18tOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmyadayadayada8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RAKj2PdQ52VLyL4KxIQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqikXXsqFb4yNDXkT5ebwFebmfJO5jpDABUENdVrR1le96MxycGnC56uWzRyadayadayadaJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTUeVGi+MNOYFz3NDq9neYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3Vyadayadayada+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=", "PublicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD4bFNUbYv+8sUx+XsWClejUdYiNea1yadayadayada5V5DdX9XreRFTToPmO1SiDGnCXDC8XB9YiSe5d6BuQqHxcJ6W7zxDZU1PgY7omI8ZJazlfFq+C2EHp3DnNRx3Pu7NQjocJNib6OfkrNmuCJqlUEilvHsRPUBaM6W16FpnjDyqKEj4w/tChzxIs6asEVQDm6rv6+e/qc04ziR4wgxwlmBKQ7Nr8yAjJszFlxmXG2kCjQ27uLHvK6D5tDyboj0WD1nwWX5PG6PmtZxY8tYYOjFBwI/lzJRQMsstaUC0Y+05yadayadayadag+E/2SzNBhMsRroNMSx8sxWGrDwQIDAQAB", "KeyId": "arn:aws:kms:us-east-2:429127456234:key/53aed673-9490-4f1c-a716-567eedd07827", "KeyPairSpec": "RSA_2048" }
Get the key in binary format.
Put the PrivateKeyCiphertextBlob into the following command line in its raw form:
BASHaws kms decrypt \ --ciphertext-blob "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAyadayadayadavcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthK3p7QfqITKdfutHCQ3TJ0ToUEyadayadayadaf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4ZTAt22dOs1KF3HpIL2nQQqlYSp7U9DKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zzyadayadayadaBy7vn19uxYhNNlzk/79wU7UkvKNrroWdv/q7z4KAQKU1Dyikl0ZpVjRr3xr2E7SwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhyadayadayadamyGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnf7uiJ5H5dZyadayadayadatOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmXUoyq8JsStWpRC8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RyadayadayadaQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqiyadayadayadaFebmfJO5jpDABUENdVrR1le96MxycGyadayadayadaCNmtlQmYJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTyadayadayadaYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3VdlFZwRIKAdDbk+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=" \ --key-id "alias/cloudhsm-customerCA-key-encryption-key" \ --output text \ --query Plaintext | base64 --decode
Create the CA certificate with the KMS private key.
BASHaws kms decrypt \ --ciphertext-blob "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAgEAMIIFCwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthK3p7QfqITKdfutHCQ3TJ0ToUEOpkQv6VxwWIWpuK7LEnEpf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4ZTAt22dOs1KF3HpIL2nQQqlYSp7U9DKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zz8qoURtXx+2VhybBy7vn19uxYhNNlzk/79wU7UkvKNrroWdv/q7z4KAQKU1Dyikl0ZpVjRr3xr2E7SwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhmgVO0M+Ft7S5SGIgZYskZonT+myGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnf7uiJ5H5dZ+S2cgseCaRo18tOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmXUoyq8JsStWpRC8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RAKj2PdQ52VLyL4KxIQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqikXXsqFb4yNDXkT5ebwFebmfJO5jpDABUENdVrR1le96MxycGnC56uWzRfKwVTEaCNmtlQmYJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTUeVGi+MNOYFz3NDq9neYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3VdlFZwRIKAdDbk+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=" \ --key-id "alias/cloudhsm-customerCA-key-encryption-key" \ --output text \ --query Plaintext | base64 --decode | \ openssl req -x509 -new -nodes -sha256 -days 3652 -out customerCA.crt -key /dev/stdin -keyform der -subj /CN="CloudHSMClusterCA"
Output: None on terminal.
This command will output the customerCA.crt file to disk which will be used in the CloudHSM client configuration once the cluster certificate is signed and uploaded.
Sign HSM CSR with KMS key. Change <CLUSTER-ID> to your cluster ID you are signing.
BASHaws kms decrypt --ciphertext-blob "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAgEAMIIFCwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthK3p7QfqITKdfutHCQ3TJ0ToUEOpkQv6VxwWIWpuK7LEnEpf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4ZTAt22dOs1KF3HpIL2nQQqlYSp7U9DKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zz8qoURtXx+2VhybBy7vn19uxYhNNlzk/79wU7UkvKNrroWdv/q7z4KAQKU1Dyikl0ZpVjRr3xr2E7SwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhmgVO0M+Ft7S5SGIgZYskZonT+myGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnf7uiJ5H5dZ+S2cgseCaRo18tOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmXUoyq8JsStWpRC8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RAKj2PdQ52VLyL4KxIQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqikXXsqFb4yNDXkT5ebwFebmfJO5jpDABUENdVrR1le96MxycGnC56uWzRfKwVTEaCNmtlQmYJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTUeVGi+MNOYFz3NDq9neYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3VdlFZwRIKAdDbk+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=" --key-id "alias/cloudhsm-customerCA-key-encryption-key" --output text --query Plaintext | base64 --decode | openssl x509 -req -in cluster-r7xmtu3g5v4_ClusterCsr.csr -CA customerCA.crt -CAkey /dev/stdin -CAkeyform der -CAcreateserial -out cluster-<CLUSTER-ID>_CustomerHsmCertificate.crt -days 3652 -sha256
Output:
BASHSignature ok subject=/C=US/ST=CA/O=Cavium/OU=N3FIPS/L=SanJose/CN=HSM:B1BF80C1755B426103C4BA244B3381:PARTN:3, for FIPS mode Getting CA Private Key
This command will output the file cluster-<CLUSTER-ID>_CustomerHsmCertificate.crt. Take this file along with the customerCA.crt file generated previously and upload it to the cluster in the next section, Section 3 - Initialize CloudHSM.