AWS CloudHSM
User Guide

Step 1: Set Up the Prerequisites

To set up web server SSL/TLS offload with AWS CloudHSM, you need the following:

  • An active AWS CloudHSM cluster with at least one HSM.

  • An Amazon EC2 instance running a Windows operating system with the following software installed:

    • The AWS CloudHSM client software for Windows.

    • Internet Information Services (IIS) for Windows Server.

  • A crypto user (CU) to own and manage the web server's private key on the HSM.

Note

This tutorial uses Microsoft Windows Server 2016. Microsoft Windows Server 2012 is also supported, but Microsoft Windows Server 2012 R2 is not.

To set up a Windows Server instance and create a CU on the HSM

  1. Complete the steps in Getting Started. When you launch the Amazon EC2 client, choose a Windows Server 2016 or Windows Server 2012 AMI. When you complete these steps, you have an active cluster with at least one HSM. You also have an Amazon EC2 client instance running Windows Server with the AWS CloudHSM client software for Windows installed.

  2. (Optional) Add more HSMs to your cluster. For more information, see Adding an HSM.

  3. Connect to your Windows server. For more information, see Connect to Your Instance in the Amazon EC2 User Guide for Windows Instances.

  4. To create a cryptographic user (CU) on your HSM, do the following:

    1. Start the AWS CloudHSM client.

    2. Update the cloudhsm_mgmt_util configuration file.

    3. Start cloudhsm_mgmt_util.

    4. Enable end-to-end encryption.

    5. Log in to the HSMs with the user name and password of a crypto officer (CO).

    6. Create a crypto user (CU). Keep track of the CU user name and password. You will need them to complete the next step.

  5. Set the login credentials for the HSM, using the CU user name and password that you created in the previous step.

  6. In step 5, if you used Windows Credentials Manager to set HSM credentials, download psexec.exe from SysInternals to run the following command as NT Authority\SYSTEM:

    psexec.exe -s "C:\Program Files\Amazon\CloudHsm\tools\set_cloudhsm_credentials.exe" --username <username> --password <password>

    Replace <username> and <password> with the HSM credentials.

To install IIS on your Windows Server

  1. If you haven't already done so, connect to your Windows server. For more information, see Connect to Your Instance in the Amazon EC2 User Guide for Windows Instances.

  2. On your Windows server, start Server Manager.

  3. In the Server Manager dashboard, choose Add roles and features.

  4. Read the Before you begin information, and then choose Next.

  5. For Installation Type, choose Role-based or feature-based installation. Then choose Next.

  6. For Server Selection, choose Select a server from the server pool. Then choose Next.

  7. For Server Roles, do the following:

    1. Select Web Server (IIS).

    2. For Add features that are required for Web Server (IIS), choose Add Features.

    3. Choose Next to finish selecting server roles.

  8. For Features, accept the defaults. Then choose Next.

  9. Read the Web Server Role (IIS) information. Then choose Next.

  10. For Select role services, accept the defaults or change the settings as preferred. Then choose Next.

  11. For Confirmation, read the confirmation information. Then choose Install.

  12. After the installation is complete, choose Close.

After you complete these steps, go to Step 2: Create a Certificate Signing Request (CSR) and Certificate.