4

Can I generate a CSR using HSM? If Yes, then Please guide us. It would be very helpful.

Following are our system details:

  • We have HSM(SafeNet) Simulator to test developement application.
  • we are using Cryptoki.dll with Desktop based application to perform crypto operation.

Now we want to know whether HSM can generate CSR or Not? If yes, then how?

Sandip Patidar
  • 104
  • 1
  • 6

3 Answers3

4

I did research & followed PKCS #11 OASIS document standard:

http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html

Finally, I am able to manage Certificate Request (CSR) from HSM.

Following are the steps to achieve the same:

  1. Generate Key Pair (Private, Public)
  2. Derive Key(C_DeriveKey) from public key and give followings attribute:
    • Mechanism - ENCODE_PKCS_10 (Certificate Request)
    • Signing Key (Private Key)
    • Signing Mechanism - SHA1_RSA_PKCS
Sandip Patidar
  • 104
  • 1
  • 6
1

You are using a 'dll', therefore on Windows.

Your SafeNet HSM will come with client software which you install on the server that requires access to the device. Once installed and configured correctly, it shows up as a Microsoft CryptoAPI Key Storage Provider.

This new provider shows up in the list of possible cryptographic providers (in addition to the software modules) when you attempt to request a certificate.

In addition, Gemalto (SafeNet) provide software to interact with the HSM directly via PKCS#11 and therefore accessible to non-CAPI applications (such as OpenSSL) as well as .jar files for access from Java applications.

garethTheRed
  • 5,429
0
  1. Generate RSA KeyPair in HSM with label for public and private keys.
  2. Take HSM public key out. Convert HSM public key to Java based public key with modulus and public exponent(Use RSAPublicKeySpec class)
  3. Create CertificateRequestInfo with subject and public key(step 2)
  4. Sign the Step 3 data with Private key inside HSM(use private key label and findObject to locate the private key)
  5. Use algorithm, signature(step 4) and CertificationRequestInfo(step 3) to compute CertificationRequestValue
  6. Encode step 5 result to Base64 and add "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END NEW CERTIFICATE REQUEST-----"

I followed the code here - https://gist.github.com/dopoljak/e7550dd0c01a3438c24c and modified for my requirements.

Thanks to Domagoj Poljak !!

Cheers

menakshisundaram
  • 1