0

As above, we were planning to do the following:

  • Access our HSM (Luna SA)
  • Generate CSR
  • Send CSR to 3rd Party CA
  • Add critical key usage of Non Repudiation on 3rd Parties portal
  • Send the now signed CSR (public key to our trading partner) which has the key usage

Does it matter if I have not added the key usage attribute during the CSR generation on the HSM as I cannot find a way to add the key usage with the HSM client software?

Regards

Liam Dennehy
  • 587
  • 2
  • 8
Steve
  • 1

2 Answers2

1

Each tool should be used for what it does the best. The HSM is great to protect a private key by allowing to use it without leaking it out the the hardware module.

But IMHO, the CSR generation and validation should be done before submitting a validated CSR to the HSM for signature only.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • Thankyou, we have found a solution that involves writing a config file to the HSM, this way we can still generate the CSR with the right key usage attribute on the HSM. – Steve Aug 21 '17 at 12:50
1

It is typically the responsibility of the CA to only sign extensions they approve (typically described in their CPS), and may add extensions according to the type of certificate. I would check with the CA.

For most CAs they will discard the extensions you supply and only add the ones they include from their own template/certificate type. As an example, you may have the CA:TRUE extension in your CSR, but no CA is going to simply sign without first removing that value. On the other hand, if you specifically request a nonRepudiation certificate, the CA should add it for you even if it is not in the CSR, since the resulting certificate will not perform as you require without it.

Liam Dennehy
  • 587
  • 2
  • 8