Reconfigure SSL with a new certificate and private key (optional)
AWS CloudHSM uses an SSL certificate to establish a connection to an HSM. A default key and SSL
certificate are included when you install the client. You can, however, create and use your
own. Note that you will need the self–signed certificate
(customerCA.crt
) that you created when you initialized your cluster.
At a high level, this is a two-step process:
-
First, you create a private key, then use that key to create a certificate signing request (CSR). Use the issuing certificate, the certificate you created when you initialized the cluster, to sign the CSR.
-
Next, you use the configure tool to copy the key and certificate to the appropriate directories.
Create a key, a CSR, and then sign the CSR
The steps are the same for Client SDK 3 or Client SDK 5.
To reconfigure SSL with a new certificate and private key
-
Create a private key using the following OpenSSL command:
openssl genrsa -out ssl-client.key 2048
Generating RSA private key, 2048 bit long modulus ........+++ ............+++ e is 65537 (0x10001)
-
Use the following OpenSSL command to create a certificate signing request (CSR). You will be asked a series of questions for your certificate.
openssl req -new -sha256 -key ssl-client.key -out ssl-client.csr
Enter pass phrase for ssl-client.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
-
Sign the CSR with the
customerCA.crt
certificate that you created when you initialized your cluster.openssl x509 -req -days 3652 -in ssl-client.csr \ -CA customerCA.crt \ -CAkey customerCA.key \ -CAcreateserial \ -out ssl-client.crt
Signature ok subject=/C=US/ST=WA/L=Seattle/O=Example Company/OU=sales Getting CA Private Key
Enable custom SSL for AWS CloudHSM
The steps are different for Client SDK 3 or Client SDK 5. For more information about working with the configure command line tool, see Configure tool.
Custom SSL for Client SDK 3
Use the configure tool for Client SDK 3 to enable custom SSL. For more information about configure tool for Client SDK 3, see Client SDK 3 configure tool.
To use a custom certificate and key for TLS client-server mutual authentication with Client SDK 3 on Linux
-
Copy your key and certificate to the appropriate directory.
sudo cp ssl-client.crt
/opt/cloudhsm/etc
sudo cp ssl-client.key/opt/cloudhsm/etc
-
Use the configure tool to specify
ssl-client.crt
andssl-client.key
.sudo /opt/cloudhsm/bin/configure --ssl \ --pkey
/opt/cloudhsm/etc/ssl-client.key
\ --cert/opt/cloudhsm/etc/ssl-client.crt
-
Add the
customerCA.crt
certificate to the trust store. Create a hash of the certificate subject name. This creates an index to allow the certificate to be looked up by that name.openssl x509 -in /opt/cloudhsm/etc/customerCA.crt -hash | head -n 1 1234abcd
Create a directory.
mkdir /opt/cloudhsm/etc/certs
Create a file that contains the certificate with the hash name.
sudo cp /opt/cloudhsm/etc/customerCA.crt /opt/cloudhsm/etc/certs/1234abcd.0
Custom SSL for Client SDK 5
Use any of the Client SDK 5 configure tools to enable custom SSL. For more information about configure tool for Client SDK 5, see Client SDK 5 configure tool.