Skip to main content
Skip table of contents

2a - Using KMS to Validate the HSM

This covers signing the CSR with a key backed in AWS KMS.

Prerequisites

Have your cluster CSR ready and your AWS client configured with access to KMS. For more information on configuring your AWS CLI, refer to the AWS Documentation Configuring the AWS CLI.

Use KMS to Validate the HSM

To sign the CSR with a key backed in AWS KMS:

  1. Create a KMS customer-managed key (CMK) to sign the CSR:

    BASH
    aws kms create-key --description "CloudHSM customerCA.crt encryption key"

    Output example:

    TEXT
    {
    "KeyMetadata": {
    "AWSAccountId": "429127456234",
    "KeyId": "53aed673-9490-4f1c-a716-567eedd07827",
    "Arn": "arn:aws:kms:us-east-2:<AWS ACCOUNT ID>:key/53aed673-9490-4f1c-a716-567eedd07827",
    "CreationDate": "2021-01-11T19:53:15.652000+00:00",
    "Enabled": true,
    "Description": "CloudHSM customerCA.crt key encryption key",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "KeyState": "Enabled",
    "Origin": "AWS_KMS",
    "KeyManager": "CUSTOMER",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "EncryptionAlgorithms": [
    "SYMMETRIC_DEFAULT"
    ]
    }
    }
  2. Get the keyID with jq:

    BASH
    aws kms create-key --description "CloudHSM customerCA.crt encryption key" | jq -r '.[] .KeyId'
    

    Output example:

    53aed673-9490-4f1c-a716-567eedd07827
  3. Create an Alias for KMS key so it can be referenced more easily:

    • If you use a different alias from "alias/cloudhsm-customerCA-key-encryption-key", be sure to change the alias in all of the commands that follow. 
    • For --target-key-id, use the output of the keyID from the previous create-key command above.
    BASH
    aws kms create-alias --alias-name "alias/cloudhsm-customerCA-key-encryption-key" --target-key-id "53aed673-9490-4f1c-a716-567eedd07827"

    Output example: (none)

  4. Create an encrypted Root key used to sign the certificate and get the CipherTextBlob:

    BASH
    aws kms generate-data-key-pair-without-plaintext --key-id "alias/cloudhsm-customerCA-key-encryption-key" --key-pair-spec RSA_2048

    Output:

    TEXT
    {
    "PrivateKeyCiphertextBlob": "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAgEAMIIFCwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthyadayadayada0ToUEOpkQv6VxwWIWpuK7LEnEpf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4yadayadayadaDKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zz8qoURtXx+2Vhyadayadayada/79wU7UkvKNrroWdv/q7z4KAQKU1DyikyadayadayadaSwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhmgVO0M+Ft7S5SGIgZYskZonT+myGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnyadayadayada+S2cgseCaRo18tOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmyadayadayada8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RAKj2PdQ52VLyL4KxIQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqikXXsqFb4yNDXkT5ebwFebmfJO5jpDABUENdVrR1le96MxycGnC56uWzRyadayadayadaJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTUeVGi+MNOYFz3NDq9neYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3Vyadayadayada+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=",
    "PublicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD4bFNUbYv+8sUx+XsWClejUdYiNea1yadayadayada5V5DdX9XreRFTToPmO1SiDGnCXDC8XB9YiSe5d6BuQqHxcJ6W7zxDZU1PgY7omI8ZJazlfFq+C2EHp3DnNRx3Pu7NQjocJNib6OfkrNmuCJqlUEilvHsRPUBaM6W16FpnjDyqKEj4w/tChzxIs6asEVQDm6rv6+e/qc04ziR4wgxwlmBKQ7Nr8yAjJszFlxmXG2kCjQ27uLHvK6D5tDyboj0WD1nwWX5PG6PmtZxY8tYYOjFBwI/lzJRQMsstaUC0Y+05yadayadayadag+E/2SzNBhMsRroNMSx8sxWGrDwQIDAQAB",
    "KeyId": "arn:aws:kms:us-east-2:429127456234:key/53aed673-9490-4f1c-a716-567eedd07827",
    "KeyPairSpec": "RSA_2048"
    }
  5. Get the key in binary format.

    Put the PrivateKeyCiphertextBlob into the following command line in its raw form:

    BASH
    aws kms decrypt \
    --ciphertext-blob "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAyadayadayadavcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthK3p7QfqITKdfutHCQ3TJ0ToUEyadayadayadaf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4ZTAt22dOs1KF3HpIL2nQQqlYSp7U9DKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zzyadayadayadaBy7vn19uxYhNNlzk/79wU7UkvKNrroWdv/q7z4KAQKU1Dyikl0ZpVjRr3xr2E7SwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhyadayadayadamyGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnf7uiJ5H5dZyadayadayadatOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmXUoyq8JsStWpRC8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RyadayadayadaQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqiyadayadayadaFebmfJO5jpDABUENdVrR1le96MxycGyadayadayadaCNmtlQmYJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTyadayadayadaYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3VdlFZwRIKAdDbk+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=" \
    --key-id "alias/cloudhsm-customerCA-key-encryption-key" \
    --output text \
    --query Plaintext | base64 --decode
  6. Create the CA certificate with the KMS private key.

    BASH
    aws kms decrypt \
    --ciphertext-blob "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAgEAMIIFCwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthK3p7QfqITKdfutHCQ3TJ0ToUEOpkQv6VxwWIWpuK7LEnEpf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4ZTAt22dOs1KF3HpIL2nQQqlYSp7U9DKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zz8qoURtXx+2VhybBy7vn19uxYhNNlzk/79wU7UkvKNrroWdv/q7z4KAQKU1Dyikl0ZpVjRr3xr2E7SwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhmgVO0M+Ft7S5SGIgZYskZonT+myGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnf7uiJ5H5dZ+S2cgseCaRo18tOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmXUoyq8JsStWpRC8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RAKj2PdQ52VLyL4KxIQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqikXXsqFb4yNDXkT5ebwFebmfJO5jpDABUENdVrR1le96MxycGnC56uWzRfKwVTEaCNmtlQmYJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTUeVGi+MNOYFz3NDq9neYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3VdlFZwRIKAdDbk+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=" \
    --key-id "alias/cloudhsm-customerCA-key-encryption-key" \
    --output text \
    --query Plaintext | base64 --decode | \
    openssl req -x509 -new -nodes -sha256 -days 3652 -out customerCA.crt -key /dev/stdin -keyform der -subj /CN="CloudHSMClusterCA"

    Output: None on terminal. 

    This command will output the customerCA.crt file to disk which will be used in the CloudHSM client configuration once the cluster certificate is signed and uploaded.

  7. Sign HSM CSR with KMS key. (warning) Change <CLUSTER-ID> to your cluster ID you are signing.

    BASH
    aws kms decrypt --ciphertext-blob "AQIDAHihEzIkdDyPjewy+oI1OczrGqnbELcWk8y53PUkpUi/5QExVfT2znGI/FF8F116nQ8RAAAFKTCCBSUGCSqGSIb3DQEHBqCCBRYwggUSAgEAMIIFCwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAy3kztfS9Rxa7BqowkCARCAggTcptQtduSJg6jvyJB8LqqT+6eD9DACaMb8vkUbJzDIV3ezLIYEYc2tvw63XuZffcmgjiXxGCktUTwIABfMkm+K6ouNzz6DEJKnakJPtitln8ShDLS7vKqTZ2mZKZKR4cgVXDPuRa0knoTxjYT+pPXOYVujD3ZTKngUQpEAyecUIYv86bOzkdSjigtiP4ypOfuP6j6Z4miE4ZW6fziNgdUvu1dPAqH4vHzbFgzaxWox0l/XzfD8CKg7seTzkxX3IJ1PuMgPF4+JpNnOTmflK46Op8bFJ+FRTcYNELT4FVzqJorwCnyyNvZthK3p7QfqITKdfutHCQ3TJ0ToUEOpkQv6VxwWIWpuK7LEnEpf7G4fyfGOOzRiQUXGfu5KoIHIik2XkU3/XEOl6nEjyXmrKbju1XqsVCEJAQLdWtx1QUYeaXfb29/PnIgUOZFoWx0n8maCYnSRH6lasGsYpYf9Y3+luatGGfqFajZORG4F/7LmXwUD/ElNpcuGVEj9g27F8MzwnIi1vUwXtMFX2ofLOdEPdW0kO3J4ZTAt22dOs1KF3HpIL2nQQqlYSp7U9DKR9Eg5LkVDuCr3S3QYl3AR/fTV3g1zz8qoURtXx+2VhybBy7vn19uxYhNNlzk/79wU7UkvKNrroWdv/q7z4KAQKU1Dyikl0ZpVjRr3xr2E7SwfDnih5Mpekf373aUu0hzB+p2OX86W1T5c/LAnEc34W75HjAWg8/7WhmwALmnfMhAnNYKDxYNk0W8pORhmgVO0M+Ft7S5SGIgZYskZonT+myGJWrEp4fQnrLYjeIMFMYjYKYfLJFdqHEgJQO7ENcV+EsU0z/kBhphG09rpFK80blK5LhLPPo93yhfsmtgmiZ8Wg1wGTJASRb1eI6qBZBB2C9YS0XnaLJntaQ2xkyt8+nBczKa8ge5LqJEHcnV/wLkhPnf7uiJ5H5dZ+S2cgseCaRo18tOnowkKsVKmK7f57GufC82IBjm7ANcCaGehjMQtXgQcHRPoyyUqiBw6kUt6cHSe7sTSIzU/qHxX8GNe+vtmXUoyq8JsStWpRC8LkvyXVO25T0Xhq0rWNjWMqRoWgsLAO1PjL8Hlqj6loCzusSx5k3fg50wHtRMBlqFpPGulqb9xH0RAKj2PdQ52VLyL4KxIQMDDd241HZsljKJhe93/Gb21SGRJMZbeg9zMFNi9FtUnUBZVFIt7+QnPwUabU2FJWUIS2zqikXXsqFb4yNDXkT5ebwFebmfJO5jpDABUENdVrR1le96MxycGnC56uWzRfKwVTEaCNmtlQmYJSxv0nMuNwL3z4ehU0ZbNo+tj8rbRSQ7sTUeVGi+MNOYFz3NDq9neYyZyMgwmbrXai/KBH6Hvz5GVtpSJqK7PSkIy0PZ0CyXwkblqu25QhVjC78D8ckKJ2wU34wUytMNBdAt/z5KYHdzw44qBG6ITFfj4WLFNMumhyUzIGgxP49ojbxsR3K/Os1hiFpwiG/zuJG26KPy4/+/IlinND+P/+y+wBvpSSb+ylWUaL3VdlFZwRIKAdDbk+/95w9DSP/0Jic0k1CucUkqbqz3G4IMb8nji+2j9rfwtKnaCIMPEF2RFnepYiBGYwe0eUIPYlxCHMvXN8vBNQFC+dfYUU+1hxJ/c0k/3GIKdimKmzNCwcjQ=" --key-id "alias/cloudhsm-customerCA-key-encryption-key" --output text --query Plaintext | base64 --decode | openssl x509 -req -in cluster-r7xmtu3g5v4_ClusterCsr.csr -CA customerCA.crt -CAkey /dev/stdin -CAkeyform der -CAcreateserial -out cluster-<CLUSTER-ID>_CustomerHsmCertificate.crt -days 3652 -sha256

    Output:

    BASH
    Signature ok
    subject=/C=US/ST=CA/O=Cavium/OU=N3FIPS/L=SanJose/CN=HSM:B1BF80C1755B426103C4BA244B3381:PARTN:3, for FIPS mode
    Getting CA Private Key

    This command will output the file cluster-<CLUSTER-ID>_CustomerHsmCertificate.crt. Take this file along with the customerCA.crt file generated previously and upload it to the cluster in the next section, Section 3 - Initialize CloudHSM.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.