Menu
AWS CloudHSM
User Guide

Verify the Identity and Authenticity of Your Cluster's HSM (Optional)

To initialize your cluster, you sign a certificate signing request (CSR) generated by the cluster's first HSM. Before you do this, you might want to verify the identity and authenticity of the HSM.

Note

This process is optional. However, it works only until a cluster is initialized. After the cluster is initialized, you cannot use this process to get the certificates or verify the HSMs.

Overview

To verify the identity of your cluster's first HSM, complete the following steps:

  1. Get the certificates and CSR – In this step, you get three certificates and a CSR from the HSM. You also get two root certificates, one from AWS CloudHSM and one from the HSM hardware manufacturer.

  2. Verify the certificate chains – In this step, you construct two certificate chains, one to the AWS CloudHSM root certificate and one to the manufacturer root certificate. Then you verify the HSM certificate with these certificate chains to determine that AWS CloudHSM and the hardware manufacturer both attest to the identity and authenticity of the HSM.

  3. Compare public keys – In this step, you extract and compare the public keys in the HSM certificate and the cluster CSR, to ensure that they are the same. This should give you confidence that the CSR was generated by an authentic, trusted HSM.

The following diagram shows the CSR, the certificates, and their relationship to each other. The subsequent list defines each certificate.


        The HSM certificates and their relationships.
AWS Root Certificate

This is AWS CloudHSM's root certificate. You can view and download this certificate at https://docs.aws.amazon.com/cloudhsm/latest/userguide/root-certificate.html.

Manufacturer Root Certificate

This is the hardware manufacturer's root certificate. You can view and download this certificate at https://www.cavium.com/LS/TAmanuCert/.

AWS Hardware Certificate

AWS CloudHSM created this certificate when it claimed the HSM hardware. This certificate asserts that AWS CloudHSM owns the hardware.

Manufacturer Hardware Certificate

The HSM hardware manufacturer created this certificate when it manufactured the HSM hardware. This certificate asserts that the manufacturer created the hardware.

HSM Certificate

The HSM certificate is generated by the FIPS-validated hardware when you create the first HSM in the cluster. This certificate asserts that the HSM hardware created the HSM.

Cluster CSR

The first HSM creates the cluster CSR. When you sign the cluster CSR, you claim the cluster. Then, you can use the signed CSR to initialize the cluster.

Get Certificates from the HSM

To verify the identity and authenticity of your HSM, start by getting a CSR and five certificates. You get three of the certificates from the HSM, which you can do with the AWS CloudHSM console, the AWS Command Line Interface (AWS CLI), or the AWS CloudHSM API.

To get the CSR and HSM certificates (console)

  1. Open the AWS CloudHSM console at https://console.aws.amazon.com/cloudhsm/.

  2. Choose Initialize next to the cluster that you created previously.

  3. When the certificates and CSR are ready, you see links to download them.

    
            The download certificate signing request page in the AWS CloudHSM console.

    Choose each link to download and save the CSR and certificates. To simplify the subsequent steps, save all of the files to the same directory and use the default file names.

To get the CSR and HSM certificates (AWS CLI)

  • At a command prompt, run the describe-clusters command four times, extracting the CSR and different certificates each time and saving them to files.

    1. Issue the following command to extract the cluster CSR. Replace <cluster ID> with the ID of the cluster that you created previously.

      $ aws cloudhsmv2 describe-clusters --filters clusterIds=<cluster ID> \ --output text \ --query 'Clusters[].Certificates.ClusterCsr' \ > <cluster ID>_ClusterCsr.csr
    2. Issue the following command to extract the HSM certificate. Replace <cluster ID> with the ID of the cluster that you created previously.

      $ aws cloudhsmv2 describe-clusters --filters clusterIds=<cluster ID> \ --output text \ --query 'Clusters[].Certificates.HsmCertificate' \ > <cluster ID>_HsmCertificate.crt
    3. Issue the following command to extract the AWS hardware certificate. Replace <cluster ID> with the ID of the cluster that you created previously.

      $ aws cloudhsmv2 describe-clusters --filters clusterIds=<cluster ID> \ --output text \ --query 'Clusters[].Certificates.AwsHardwareCertificate' \ > <cluster ID>_AwsHardwareCertificate.crt
    4. Issue the following command to extract the manufacturer hardware certificate. Replace <cluster ID> with the ID of the cluster that you created previously.

      $ aws cloudhsmv2 describe-clusters --filters clusterIds=<cluster ID> \ --output text \ --query 'Clusters[].Certificates.ManufacturerHardwareCertificate' \ > <cluster ID>_ManufacturerHardwareCertificate.crt

To get the CSR and HSM certificates (AWS CloudHSM API)

  • Send a DescribeClusters request, then extract and save the CSR and certificates from the response.

Get the Root Certificates

Follow these steps to get the root certificates for AWS CloudHSM and the manufacturer. Save the root certificate files to the directory that contains the CSR and HSM certificate files.

To get the AWS CloudHSM and manufacturer root certificates

  1. Go to https://docs.aws.amazon.com/cloudhsm/latest/userguide/root-certificate.html, and then choose AWS_CloudHSM_Root-G1.zip. After you download the file, extract (unzip) its contents.

  2. Go to https://www.cavium.com/LS/TAmanuCert/, and then choose Download Certificate. You might need to right-click the Download Certificate link and then choose Save Link As... to save the certificate file.

Verify Certificate Chains

In this step, you construct two certificate chains, one to the AWS CloudHSM root certificate and one to the manufacturer root certificate. Then use OpenSSL to verify the HSM certificate with each certificate chain.

To create the certificate chains, open a Linux shell. You need OpenSSL, which is available in most Linux shells, and you need the root certificate and HSM certificate files that you downloaded. However, you do not need the AWS CLI for this step, and the shell does not need to be associated with your AWS account.

Note

To verify the certificate chain, use OpenSSL 1.0. Due to a change in OpenSSL certificate verification, the following instructions do not work with OpenSSL 1.1.

To verify the HSM certificate with the AWS CloudHSM root certificate

  1. Navigate to the directory where you saved the root certificate and HSM certificate files that you downloaded. The following commands assume that all of the certificates are in the current directory and use the default file names.

    Use the following command to create a certificate chain that includes the AWS hardware certificate and the AWS CloudHSM root certificate, in that order. Replace <cluster ID> with the ID of the cluster that you created previously.

    $ cat <cluster ID>_AwsHardwareCertificate.crt \ AWS_CloudHSM_Root-G1.crt \ > <cluster ID>_AWS_chain.crt
  2. Use the following OpenSSL command to verify the HSM certificate with the AWS certificate chain. Replace <cluster ID> with the ID of the cluster that you created previously.

    $ openssl verify -CAfile <cluster ID>_AWS_chain.crt <cluster ID>_HsmCertificate.crt <cluster ID>_HsmCertificate.crt: OK

To verify the HSM certificate with the manufacturer root certificate

  1. Use the following command to create a certificate chain that includes the manufacturer hardware certificate and the manufacturer root certificate, in that order. Replace <cluster ID> with the ID of the cluster that you created previously.

    $ cat <cluster ID>_ManufacturerHardwareCertificate.crt \ cavium_cert.crt \ > <cluster ID>_manufacturer_chain.crt
  2. Use the following OpenSSL command to verify the HSM certificate with the manufacturer certificate chain. Replace <cluster ID> with the ID of the cluster that you created previously.

    $ openssl verify -CAfile <cluster ID>_manufacturer_chain.crt <cluster ID>_HsmCertificate.crt <cluster ID>_HsmCertificate.crt: OK

Extract and Compare Public Keys

Use OpenSSL to extract and compare the public keys in the HSM certificate and the cluster CSR, to ensure that they are the same.

To compare the public keys, use your Linux shell. You need OpenSSL, which is available in most Linux shells, but you do not need the AWS CLI for this step The shell does not need to be associated with your AWS account.

To extract and compare the public keys

  1. Use the following command to extract the public key from the HSM certificate.

    $ openssl x509 -in <cluster ID>_HsmCertificate.crt -pubkey -noout > <cluster ID>_HsmCertificate.pub
  2. Use the following command to extract the public key from the cluster CSR.

    $ openssl req -in <cluster ID>_ClusterCsr.csr -pubkey -noout > <cluster ID>_ClusterCsr.pub
  3. Use the following command to compare the public keys. If the public keys are identical, the following command produces no output.

    $ diff <cluster ID>_HsmCertificate.pub <cluster ID>_ClusterCsr.pub

After you verify the identity and authenticity of the HSM, proceed to Initialize the Cluster.

AWS CloudHSM Root Certificate

Download the AWS CloudHSM root certificate: AWS_CloudHSM_Root-G1.zip.

Certificate: Data: Version: 3 (0x2) Serial Number: 17952736724058547791 (0xf924eeeecf9ea64f) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Virginia, L=Herndon, O=Amazon Web Services INC., OU=CloudHSM, CN=AWS CloudHSM Root G1 Validity Not Before: Apr 28 08:37:46 2017 GMT Not After : Apr 26 08:37:46 2027 GMT Subject: C=US, ST=Virginia, L=Herndon, O=Amazon Web Services INC., OU=CloudHSM, CN=AWS CloudHSM Root G1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c8:e3:f6:2a:e0:1f:1e:66:73:00:1e:57:dc:3e: 69:f1:9b:73:73:24:58:60:85:80:45:99:a2:85:3f: e7:f9:67:41:9f:39:d2:e8:e1:88:ec:18:07:5c:38: 98:25:5a:45:5f:1f:c4:60:0e:29:e4:ac:65:f0:b6: 92:83:34:62:1a:e7:c6:ae:0f:40:66:52:bb:0b:6a: c6:78:27:57:d6:32:3b:6c:0a:83:7d:a7:e9:a1:6c: 10:46:27:74:2c:6e:86:3a:fd:71:18:1f:84:8e:00: 84:bb:00:dc:57:d8:48:94:5c:13:7a:ff:3b:37:52: 60:cd:5a:64:57:35:95:df:67:68:39:e2:f9:85:ad: 59:ee:a6:9a:97:75:35:f4:e1:32:08:d3:0e:2f:bc: 33:04:f3:34:e8:c9:b5:18:fd:69:83:e0:b7:5a:b4: 3f:ce:1c:2f:b5:1e:0f:4f:15:f0:27:00:23:67:d5: b8:2c:cb:d6:ef:eb:34:25:80:28:33:fa:e6:3a:31: 58:7a:0b:fd:4f:6d:d3:1c:64:10:47:8c:4f:ab:e3: 61:0c:a2:a9:0b:2d:e6:59:f4:1c:2c:92:2a:a4:f9: a4:83:21:3a:66:dc:c7:75:06:15:fe:83:9d:f8:25: 7f:3b:66:e8:aa:9f:d1:e5:ba:1d:5a:c5:2e:21:ee: 52:61 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 27:00:6B:50:D5:4F:38:8A:35:21:38:D3:0D:A9:5E:D2:10:39:A4:EB X509v3 Authority Key Identifier: keyid:27:00:6B:50:D5:4F:38:8A:35:21:38:D3:0D:A9:5E:D2:10:39:A4:EB X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 71:ff:e5:46:27:9c:d0:85:97:5e:c0:82:9a:d4:1b:48:96:75: 2a:40:32:07:80:95:c5:eb:26:1b:46:37:7e:86:12:99:68:b1: 15:bb:f5:55:85:6f:a2:e4:28:70:47:73:07:84:fc:12:28:cc: 8b:3e:b8:f6:60:85:bb:23:6a:cb:6e:a7:ed:82:7e:ed:64:9c: c1:df:c8:51:db:b9:a4:76:ee:ba:53:aa:e7:30:86:74:5e:be: 2f:1a:c1:88:30:c4:61:02:50:9f:c9:80:7b:7e:f5:1e:49:c8: 6c:1a:39:00:4d:98:1e:21:26:4a:02:f5:d5:3e:6c:47:d9:9c: 94:6f:d7:25:2e:1d:7c:a3:18:ee:8a:32:8a:15:f3:85:39:76: c3:b9:ba:4e:58:0c:5b:65:44:2e:eb:ab:6c:27:9a:a6:67:df: 22:d4:81:02:2e:c6:34:1b:fe:55:31:8b:d5:73:57:d8:0e:0d: 5a:27:7d:ce:3d:3b:84:80:b3:32:00:e0:6a:f0:32:8a:85:2a: f8:de:20:bf:65:f7:c9:a8:42:c9:cb:fa:03:d4:10:29:5e:25: 63:a5:71:06:2e:72:78:8a:05:c3:f9:56:e9:b1:e4:2b:6e:f7: 46:5d:b3:12:ed:14:2a:51:d4:56:56:48:ab:7d:fe:d6:49:af: d6:8e:84:62