3

Can I generate a CSR using HSM? If Yes, then Please guide us. It would be very helpful.

Following are our system details:

  • We have HSM(SafeNet) Simulator to test developement application.
  • we are using Cryptoki.dll with Desktop based application to perform crypto operation.

Now we want to know whether HSM can generate CSR or Not? If yes, then how?

Sandip Patidar
  • 94
  • 1
  • 6
  • 1
    The process might depend on your specific HSM. See also stackoverflow.com [How to generate certificate if private key is in HSM?](https://stackoverflow.com/questions/30905850/how-to-generate-certificate-if-private-key-is-in-hsm). – Steffen Ullrich Oct 09 '18 at 05:31
  • @SteffenUllrich Thanks for your reply. I have checked your mentioned link, But they are using openssl with HSM to generate CSR. I am interested to know can HSM generate CSR? In My I want to generate using HSM. I am using Safenet HSM. –  Oct 09 '18 at 05:44
  • 1
    A HSM is a hardware which protects a private key and provides an interface to interact with it for signing etc. You need some software to interact with the hardware in order to create a CSR. OpenSSL is with the appropriate engine one of the software which can interact with the hardware. And searching for [safenet hsm create csr](https://www.google.com/search?q=safenet+hsm+create+csr) provides various hits including documentation about integration with OpenSSL. – Steffen Ullrich Oct 09 '18 at 05:50
  • 1
    If I'm not mistaken Cryptoki is a library/API, not some standalone software. Maybe you could provide all the details needed (which HSM, which software to interface with it...) in your question instead of providing it in small pieces in the comments? Or did you just bought an HSM without any up-front ideas what you are doing and now try to figure out how to use it and without looking at any documentation you got? – Steffen Ullrich Oct 09 '18 at 06:25
  • @SteffenUllrich Thanks for all suggest. I am able to manage CSR from HSM. See my solution, I hope this will also help you. –  Oct 11 '18 at 16:43

3 Answers3

4

I did research & followed PKCS #11 OASIS document standard:

http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html

Finally, I am able to manage Certificate Request (CSR) from HSM.

Following are the steps to achieve the same:

  1. Generate Key Pair (Private, Public)
  2. Derive Key(C_DeriveKey) from public key and give followings attribute:
    • Mechanism - ENCODE_PKCS_10 (Certificate Request)
    • Signing Key (Private Key)
    • Signing Mechanism - SHA1_RSA_PKCS
Sandip Patidar
  • 94
  • 1
  • 6
  • I didn't find and mechanism ENCODE_PKCS_10 This does not even comply with the pkcs11 standard of naming mechanisn.The pkcs11 standard mechanism name starts with CKA_ .Is this mechanism vendor defined by SafeNet ?? – Abhishek Garg Oct 17 '19 at 10:47
1

You are using a 'dll', therefore on Windows.

Your SafeNet HSM will come with client software which you install on the server that requires access to the device. Once installed and configured correctly, it shows up as a Microsoft CryptoAPI Key Storage Provider.

This new provider shows up in the list of possible cryptographic providers (in addition to the software modules) when you attempt to request a certificate.

In addition, Gemalto (SafeNet) provide software to interact with the HSM directly via PKCS#11 and therefore accessible to non-CAPI applications (such as OpenSSL) as well as .jar files for access from Java applications.

garethTheRed
  • 4,009
  • 13
  • 20
  • Thanks for reply. I am agree with your suggested points. In our case we are not following OpenSSL. Now I am able to manage CSR using HSM. Please See solution in answer. –  Oct 10 '18 at 06:54
0
  1. Generate RSA KeyPair in HSM with label for public and private keys.
  2. Take HSM public key out. Convert HSM public key to Java based public key with modulus and public exponent(Use RSAPublicKeySpec class)
  3. Create CertificateRequestInfo with subject and public key(step 2)
  4. Sign the Step 3 data with Private key inside HSM(use private key label and findObject to locate the private key)
  5. Use algorithm, signature(step 4) and CertificationRequestInfo(step 3) to compute CertificationRequestValue
  6. Encode step 5 result to Base64 and add "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END NEW CERTIFICATE REQUEST-----"

I followed the code here - https://gist.github.com/dopoljak/e7550dd0c01a3438c24c and modified for my requirements.

Thanks to Domagoj Poljak !!

Cheers

menakshisundaram
  • 1