Appendix C - Converting liquidsec Public Keys to P11NG Compatible Key Pairs

Before EJBCA 7.5 and EJBCA Cloud 2.6, EJBCA required a custom provider to work with some of the legacy limitations with CloudHSM integration and Java applications.

To migrate the public files located on the disk in /opt/ejbca/.liquidsec to the CloudHSM deployment, perform the following steps. These steps must be performed on a node that has cloudHSM client working and successfully connected to the CloudHSM cluster.

1. Login to HSM and check the key.

2. Load the key manager:

   CODE

   /opt/cloudhsm/bin/key_mgmt_util

3. Login to the HSM:

   CODE

   loginHSM -u CU -s ejbca_issuing -p password123!

4. List all keys and determine what the key handle is. If you have more than one key it is good to get the list of keys beforehand so you know which one is added:

   CODE

   findKey

5. Check the name of the key (changing "-o 29" to the handle of the key you want to convert the pubic key for):

   CODE

   getAttribute -a 512 -o 29 -out /dev/tty 

6. Logout of key util and convert the certificate to a PEM format (might want to test to see if you can skip this step)
   
   

   CODE

   openssl x509 -pubkey -inform DER -in /opt/ejbca/.liquidsec/10001.testKey0001.crt -outform PEM > /opt/ejbca/.liquidsec/10001.testKey0001.crt.pubout.pem

7. Log back into key_mgmt_util and import the keys.

8. Import the public key/certificate to CloudHSM making sure to set the key ID to the same one that it was created with.

   CODE

   importPubKey -l testKey0001 -f /opt/ejbca/.liquidsec/10001.testKey0001.crt.pubout.pem -id testKey0001