To create the CSR and generate the key pair using OpenSSL:
-
Copy each of the four certificates you downloaded in 1 - Create CloudHSM Cluster to the EJBCA instance. The prefix of the file is the cluster ID. For example, this cluster ID is cluster-ijd53hj4zdv_file-type. You can also use your preferred SCP client.
Example: This example shows how to copy the Cluster CSR. Repeat the same step for HSM certificate, AWS certificate, and Manufacturer certificate.# scp -i ~/Documents/C2\ Comp/PrimeKey/EC2\ Creds/c2-ssh/c2-ssh.pem ec2-user@ec2-34-229-187-81.compute-1.amazonaws.com:/home/ec2-user cluster-ijd53hj4zdv_ClusterCsr.csr ~/Downloads/cluster-ijd53hj4zdv_ClusterCsr.csr -
Use OpenSSL to create a key to validate the HSM. This command asks for a password to protect the key and you may use the instance ID or another password of your choosing.
# openssl genrsa -aes256 -out customerCA.key 2048 -
Create a self-signed issuing cert with the key created. This command asks for values for the cert (country code, location, etc.) and you can populate them or press Enter to leave them blank. You must populate at least one value.
# openssl req -new -x509 -days 3652 -key customerCA.key -out customerCA.crt -
Sign the CSR with the issuing certificate and key. Ensure to change the CSR (after the
-invalue) to be the one that was downloaded from your HSM cluster.
This command creates a file named
CustomerHsmSignedCertificate.crt.Use this file as the signed certificate when you initialize the cluster.# openssl x509 -req -days 3652 -in cluster-ijd53hj4zdv_ClusterCsr.csr \ -CA customerCA.crt \ -CAkey customerCA.key \ -CAcreateserial \ -out CustomerHsmSignedCertificate.crt