User Guide

Step 1: Set Up the Prerequisites

To set up web server SSL/TLS offload with AWS CloudHSM, you need the following:

  • An active AWS CloudHSM cluster with at least one HSM.

  • An Amazon EC2 instance running a Linux operating system with the following software installed:

    • The AWS CloudHSM client and command line tools.

    • The NGINX or Apache web server application.

    • The AWS CloudHSM dynamic engine for OpenSSL.

  • A crypto user (CU) to own and manage the web server's private key on the HSM.

To set up a Linux web server instance and create a CU on the HSM

  1. Complete the steps in Getting Started. You will then have an active cluster with one HSM and an Amazon EC2 client instance. Your EC2 instance will be configured with the command line tools. Use this client instance as your web server.

  2. Connect to your client instance. For more information, see Connecting to Your Linux Instance Using SSH or Connecting to Your Linux Instance from Windows Using PuTTY in the Amazon EC2 documentation. Then do the following:

    1. Choose whether to install the NGINX or Apache web server application. Then complete one of the following steps:

      • To install NGINX, run the following command.

        sudo yum install -y nginx
      • To install Apache, run the following command.

        sudo yum install -y httpd24 mod24_ssl
    2. Install and configure the OpenSSL engine.

  3. (Optional) Add more HSMs to your cluster. For more information, see Adding an HSM.

  4. To create a crypto user (CU) on your HSM, do the following:

    1. Start the AWS CloudHSM client.

    2. Update the cloudhsm_mgmt_util configuration file.

    3. Use cloudhsm_mgmt_util to create a CU. For more information, see Managing HSM Users. Keep track of the CU user name and password. You will need them later when you generate or import the HTTPS private key and certificate for your web server.

After you complete these steps, go to Step 2: Generate or Import a Private Key and SSL/TLS Certificate.