2b - Use OpenSSL to Validate the HSM
Proceed as follows to create the CSR and generate the key pair using OpenSSL:
- Download the four certificates in the links in the UI:
There will be four files that look like the following: Copy these certificates to the EJBCA instance. The prefix of the file is the cluster ID. For example, this cluster ID is cluster-ijd53hj4zdv_file-type. In the example below, we will show it for the CSR but you will need to copy each of these files. You can also use your preferred SCP client:
CODE# scp -i ~/Documents/C2\ Comp/PrimeKey/EC2\ Creds/c2-ssh/c2-ssh.pem ec2-user@ec2-34-229-187-81.compute-1.amazonaws.com:/home/ec2-user cluster-ijd53hj4zdv_ClusterCsr.csr ~/Downloads/cluster-ijd53hj4zdv_ClusterCsr.csr
Use OpenSSL to create a key to validate the HSM. This command asks for a password to protect the key and you may use the instance ID or another password of your choosing.
CODE# openssl genrsa -aes256 -out customerCA.key 2048
Create a self-signed issuing cert with the key created. This command asks for values for the cert (country code, location, etc.) and you can populate them or press Enter to leave them blank. You must populate at least one value.
CODE# openssl req -new -x509 -days 3652 -key customerCA.key -out customerCA.crt
Sign the CSR with the issuing certificate and key. Ensure to change the CSR (after the
-in
value) to be the one that was downloaded from your HSM cluster.
This command creates a file namedCustomerHsmSignedCertificate.crt.
Use this file as the signed certificate when you initialize the cluster.CODE# openssl x509 -req -days 3652 -in cluster-ijd53hj4zdv_ClusterCsr.csr \ -CA customerCA.crt \ -CAkey customerCA.key \ -CAcreateserial \ -out CustomerHsmSignedCertificate.crt