Reconfigure SSL with a New Certificate and Private Key (Optional)
AWS CloudHSM uses an SSL certificate to establish a connection to an HSM. A default
key and SSL
certificate are included when you install the client. You can, however, create and
use your
own. Note that you will need the self–signed certificate
(customerCA.crt) that you created when you initialized your cluster.
At a high level, this is a two-step process:
-
First, you create a private key, then use that key to create a certificate signing request (CSR). Use the issuing certificate, the certificate you created when you initialized the cluster, to sign the CSR.
-
Next, you use the configure tool to copy the key and certificate to the appropriate directories.
Create a Key, a CSR, and Then Sign the CSR
The steps are the same for Client SDK 3 or Client SDK 5.
To reconfigure SSL with a new certificate and private key
-
Create a private key using the following OpenSSL command:
openssl genrsa -out ssl-client.key 2048Generating RSA private key, 2048 bit long modulus ........+++ ............+++ e is 65537 (0x10001) -
Use the following OpenSSL command to create a certificate signing request (CSR). You will be asked a series of questions for your certificate.
openssl req -new -sha256 -key ssl-client.key -out ssl-client.csrEnter pass phrase for ssl-client.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: -
Sign the CSR with the
customerCA.crtcertificate that you created when you initialized your cluster.openssl x509 -req -days 3652 -in ssl-client.csr \ -CA customerCA.crt \ -CAkey customerCA.key \ -CAcreateserial \ -out ssl-client.crtSignature ok subject=/C=US/ST=WA/L=Seattle/O=Example Company/OU=sales Getting CA Private Key
Enable Custom SSL for AWS CloudHSM
The steps are different for Client SDK 3 or Client SDK 5. For more information about working with the configure command line tool, see Configure Tool.
Custom SSL for Client SDK 3
Use the configure tool for Client SDK 3 to enable custom SSL. For more information about configure tool for Client SDK 3, see Client SDK 3 Configure Tool.
To use a custom certificate and key for TLS client-server mutual authentication with Client SDK 3 on Linux
-
Copy your key and certificate to the appropriate directory.
sudo cp ssl-client.crt/opt/cloudhsm/etcsudo cp ssl-client.key/opt/cloudhsm/etc -
Use the configure tool to specify
ssl-client.crtandssl-client.key.sudo /opt/cloudhsm/bin/configure --ssl \ --pkey/opt/cloudhsm/etc/ssl-client.key\ --cert/opt/cloudhsm/etc/ssl-client.crt -
Add the
customerCA.crtcertificate to the trust store. Create a hash of the certificate subject name. This creates an index to allow the certificate to be looked up by that name.openssl x509 -in /opt/cloudhsm/etc/customerCA.crt -hash | head -n 1 1234abcdCreate a directory.
mkdir /opt/cloudhsm/etc/certsCreate a file that contains the certificate with the hash name.
sudo cp /opt/cloudhsm/etc/customerCA.crt /opt/cloudhsm/etc/certs/1234abcd.0
Custom SSL for Client SDK 5
Use any of the Client SDK 5 configure tools to enable custom SSL. For more information about configure tool for Client SDK 5, see Client SDK 5 Configure Tool.
