|
For the latest version, please use Certificate Lifecycle Manager 6.6.0! |
Securosys HSM Integration Guide
This page provides detailed instructions for integrating Securosys HSMs with MTG CLM and CARA, using the PKCS#11 interface. The information below covers supported products, configuration requirements, deployment steps and operational details.
Supported Integration Method
MTG ERS products, MTG KMS and CARA, integrate with Securosys HSMs via the PKCS#11 interface. Subsequently, MTG CLM is able to leverage similar security benefits by using CARA as it’s CA. Both Securosys Primus HSM (on-premises) and CloudHSM deployments are supported. There are no functional limitations between the two from MTG’s side; differences may arise only from the HSM licensing model.
Integration Points in MTG CLM
-
In a standard setup, private keys for both the Root CA and Sub CA are stored in the HSM.
-
The Root CA private key is used only when creating a Sub CA.
-
The Sub CA private key is used for every end entity certificate signing and renewal.
-
All certificate creation and renewal operations in MTG CLM leverage HSM protection.
-
Realm and policy management are handled within CLM and do not affect the CARA/HSM setup.
Typical Deployment Scenarios
-
All production PKI environments are strongly encouraged to use HSM protection for CA private keys.
-
Securosys HSM integration is applicable for both new and existing PKI deployments seeking hardware-based key security.
Configuration Requirements
Securosys HSM
The necessary steps to set up the Securosys Primus HSMs can vary depending on the model and firmware. Please follow the instructions that match your setup in the official Primus HSM Quickstart Guide.
| This step can be skipped if you are using CloudHSM as the partitions come preconfigured. |
For the connection to MTG CLM it is important to also set up the PKCS#11 API on the HSM. Please see the official Primus HSM Configuration guide to do that.
Key Export & Extract
It is possible to allow or deny key export and extraction operations at the global, partition and/or key level. It is important to understand that these restrictions can only become more restrictive and cannot be relaxed at lower levels. For example, it is valid to allow key exports globally but restrict them at the partition level. However, it is not valid to restrict key exports at the partition level while allowing them at the key level.
Best Practices
It is considered a best practice in PKI environments to create separate partitions for the Root-CA and the Sub-CA. CARA would then only connect to the partition with the Root-CA Key once it’s time to sign a new Sub-CA.
| Starting from Firmware version 3.2.8 on Primus HSM devices, it is also possible to use sub-roles for created users. To learn more, please consult the relevant Primus HSM User Guide. |
CARA
Steps on VM
-
Install the PKCS#11 API Provider on the machine that runs mtg-cara-ws-server as outlined in the official documentation.
-
Add the
carauser to theprimusgroup so that the service is able to read the configuration files. This can be done with the commandsudo usermod -aG primus cara.
-
Use the temporary secret partition setup password and PKCS#11 passwort to retrieve the permanent secret:
/usr/local/primus/bin/ppin -a -e $PARTITION_USERNAME $TEMP_PASSWORD $PKCS11_PASSWORD`
-
Test the connectivity to the HSM(s):
/usr/local/primus/bin/ppin -t
-
Edit the mtg-cara-ws-server service configuration (
/etc/opt/mtg-cara-ws-server/mtg-cara-ws-server.service.conf):SECUROSYS_SECRETS_CONF=/etc/primus/secrets.cfg SECUROSYS_PKCS11_CONF=/etc/primus/primus.cfg -
Set
pkcs11Folder=/usr/local/primus/lib/in/etc/opt/mtg-cara-ws-server/application.properties.
Steps in UI
In the CARA-Admin UI navigate to Module → Generic HSM → Devices → Device hinzufügen.
HSM-Type |
PKCS11 |
Cryptoki |
Choose the right PKCS#11 library |
Domäne/Entity/Partition/Slot |
Name of partition |
HSM-Pool Konfiguration |
Leave at default |
Afterward go to the newly created HSM → Details → Verbinden.