How to Create CSR and Key Attestation using Luna HSM?

Welcome to the comprehensive guide that will walk you through generating Certificate Signing Requests (CSRs) and performing Key Attestation using the highly secure and trusted Luna Hardware Security Module (HSM).

The information will equip you with the knowledge and best practices to ensure the utmost integrity and protection of your cryptographic keys and certificates.

Stay on top of the software development game as a security professional or anyone involved in code signing certificates. Keeping industry standards alongside is crucial in today’s fast-paced technology.

One essential resource you should familiarize yourself with is the CA/B Forum Baseline Requirements v2.8 for Code Signing Certificates.

Code signing certificates function as digital signatures, instilling confidence in users that the code they download or install originates from a trusted source and remains untampered.

We will review the CA/B Forum Baseline Requirements version 2.8 for Code Signing Certificates. This collection of industry standards and guidelines aims to bolster the security and reliability of code signing processes, ensuring a safer digital environment for all users.

Let’s embark on this journey to discover how these requirements enhance the trustworthiness of code signing practices.

Explore the Role and Significance of Certificate Signing Requests (CSRs)

A Certificate Signing Request (CSR) is crucial in obtaining an SSL Certificate from a Certificate Authority. It constitutes a block of text generated on the server where the certificate will be installed.

The CSR lies vital information required for the certificate, including the organization name, common name, location, and nation. Moreover, it contains the public key, which is pivotal in signing the certificate.

The Importance of CSRs:

CSRs are pivotal in facilitating communication between the entity requesting the SSL certificate and the CA. Generating a CSR leads to creating two essential components.

The first is the public key, an integral part of the CSR.

The second is the private key, generated simultaneously with the CSR and securely kept on the server.

The confidentiality of the private key is imperative.

Steps for CSR and Key Attestation Creation for Luna Network

This section will help you create a Certificate Signing Request (CSR) and perform key attestation for the Luna Network Attached HSM 7.x. Following these instructions, you can generate a Public Key Confirmation (PKC) file in an RSA key pair context.

For Luna Network Attached HSM 7.x; you must know this!

Our focus here lies in the remarkable capabilities of Luna HSMs, particularly their ability to generate a Public Key Confirmation package (PKC) as a key attestation.

This PKC serves as an invaluable verification that a specific key pair was generated and securely stored within the Luna HSM, ensuring the highest level of security.

What does the Attestation Package Format include?

The PKC files generated by Luna HSM utilize the DER-encoded PKCS7 format, efficiently containing all the necessary critical attestation information.

To ensure compatibility with the critical attestation service, it is crucial to encode the PKC file in base64 format.

Instructions to Generate a CSR

Generating a Certificate Signing Request (CSR) may vary depending on your software, but the fundamental steps remain consistent. Here’s a general outline to help you through the process:

Step 1: Preparation

Before diving into CSR generation, ensure you have all the relevant details. It includes your domain name, organization name, city (locality), state or province name, and country code.

Step 2: Generate a Key Pair

The first crucial step is to create a public-private key pair. Keep your private key secure, ensuring it remains within the server or hardware module where it was generated.

Step 3: Generate the CSR

Select a CSR generation tool that aligns with your server software. This tool will prompt you to provide the details prepared in Step 1 and the private key generated in Step 2.

Subsequently, the tool will generate an encoded file with the .csr or .req extension.

During the CSR generation process, you will be prompted to enter details such as the common name, organization, locality, and more essential for the SSL certificate.

Formats for Generating a PKC for RSA Keypair:

When generating a PKC for an RSA key pair, you’ll come across two commonly mentioned formats:

TC-Trust Center Format:

This format encompasses three certificates within the PKC. However, it’s important to note that the certificate chain does not conclude with a root certificate.

Chrysalis-ITS Format:

In contrast, the Chrysalis-ITS format comprises five certificates arranged within the PKC structure. Moreover, the certificate chain culminates with a root certificate, providing an extra layer of trust.

Our strong recommendation is to opt for the Chrysalis-ITS format due to the availability of vendor documentation, which offers further guidance and support throughout the process.

With these comprehensive guidelines, you can create your CSR and conduct key attestation using the mighty Luna Network Attached HSM 7.x.

Safeguard your cryptographic operations and enjoy enhanced security and peace of mind with Luna HSM’s cutting-edge features.

Step-by-Step Get CSR and PKC in Chrysalis-ITS Format

To ensure seamless utilization of the Sectigo key attestation service or reseller-website enrollment form, follow these simple steps to generate a Certificate Signing Request (CSR) and Public Key Confirmation (PKC) in the Chrysalis-ITS format using Luna HSM:

Step 1: Launch the Luna remote client and access the Luna HSM by logging in.

Step 2: Employ the LunaCM2 utility to create an RSA key pair on Luna Partition1, executing the appropriate commands based on your operating system:

For Windows:

c:\ cd c:\Program Files\SafeNet\LunaClient
c:\Program Files\SafeNet\LunaClient\> lunacm

For Linux:

> cd /usr/safenet/lunaclient/bin
./lunacm

Generate the RSA key pair using the command below, ensuring you replace “LABEL” with your desired key pair identifier:

cmu gen -modulusBits=3072 -publicExp=65537 -sign=T -verify=T -label=LABEL -extractable=false

REMINDER! For successful CSR generation, the parameters “-extractable=false” and “-sign=T” is mandatory, as Luna will not utilize this key for CSR signing. The RSA key must also be at least 3072 bits for code signing certificates.

Step 3: Retrieve the handle numbers of the public and private keys with the following commands:

cmu list -class public -label=LABEL
cmu list -class private -label=LABEL

Step 4: Generate a CSR using the subsequent command, replacing “MNO” and “BCD” with the respective public and private key handles:

cmu requestcert -publichandle=MNO -privatehandle=BCD -C=CA -L=Ottawa -O=Sectigo -CN="PKC Test Cert" -outputFile=rsacsr.pem

Step 5: Now, create a PKC using the following command, replacing “MNO” with your public key handle and “attestation.p7b” with the desired file name:

cmu getpkc -handle=MNO -outputfile=attestation.p7b -pkctype=2 -verify

Step 6: Convert the attestation PKC file to base64 format using the appropriate commands:

For Windows:

certutil -encode attestation.p7b attestation.b64
findstr /v CERTIFICATE attestation.b64 > attestation.b64

For Linux:

base64 attestation.p7b > attestation.b64

Step 7: Finally, submit the generated CSR and base64-encoded attestation to the website enrollment form to verify the HSM’s authenticity in issuing code signing certificates.

These straightforward steps can effortlessly generate a CSR and PKC in the Chrysalis-ITS format, ensuring a secure and reliable process for the Sectigo key attestation service or reseller-website enrollment form.

Safeguard your cryptographic operations with confidence and elevate your code signing certificates to new heights.