7.7. Configuring Subsystems with an HSM in FIPS Mode

If a subsystem is using a hardware security module (HSM) to store its key and certificate information, then this HSM can be enabled to use FIPS mode. This increases the security of the HSM and is recommended for most environments, especially Common Criteria environments.

7.7.1. Configuring a CA with an HSM in FIPS Mode

  1. Set up the HSM, as described in Section 6.3.9.2, “Using Hardware Security Modules with Subsystems” and the vendor documentation.
  2. Install and configure the CA instance, as described in Section 7.6.2, “Setting up CAs”.
  3. Stop the CA instance. The instance must be stopped to protect the information stored in its security databases.
    service pki-ca stop
  4. Replace the SSL subsystem certificate. By default, the installation process puts the certificate on the hardware token, but it should be placed on the software FIPS token.
    1. Open the CA's security database directory.
      cd /var/lib/pki-ca/alias
    2. Using certutil, create a request for a new SSL server certificate.
      certutil -d . -R -s "CN=ca.example.com,OU=pki-ca,O=Example Domain pki-ca" -o sslfips.req -h "NSS Certificate DB" -a
    3. Restart the CA.
      service pki-ca start
    4. Open the end entities pages for the CA (https://server.example.com:9444/ca/ee/ca), and use the SSL Server Cert Profile to submit the request.
    5. Log into the agent pages (https://server.example.com:9443/ca/agent/ca), and approve the request.
    6. Copy the base 64-encoded certificate on the approval page and save it to a file, such as sslfips.cert.
    7. Stop the CA again.
      service pki-ca stop
    8. Check the CA's certificate database to see if an SSL server certificate is already listed.
      certutil -d /var/lib/pki-ca/alias -L
    9. If the certificate exists, then delete it.
      certutil -d /var/lib/pki-ca/alias -D -n "ServerCert nickname"
    10. Import the new SSL server certificate.
      certutil -d /var/lib/pki-ca/alias -A -t "u,u,u" -n "ServerCert ca.example.com - Example Domain pki-ca" -i sslfips.cert -a
    11. Edit the /var/lib/pki-ca/conf/serverCertNick.conf file to contain the nickname of the new certificate, such as ServerCert ca.example.com - Example Domain pki-ca.
    12. Edit the CS.cfg file to replace both references to the SSL server certificate nickname.
      vim /var/lib/pki-ca/conf/CS/cfg
      
      ca.cert.sslserver.nickname= ServerCert ca.example.com - Example Domain pki-ca
      ca.sslserver.nickname= ServerCert ca.example.com - Example Domain pki-ca
    13. In the CS.cfg file, add a line to verify signatures from the token. The value is the token name, which depends on the vendor and version of the HSM. For example, for a NetHSM token:
       ca.requestVerify.token=NHSM6000-OCS
    14. Edi the server.xml file to enable FIPS mode for each SSL-enabled connector. Set strictCiphters to true and add or set ssl3 to false.
      vim /var/lib/pki-ca/conf/server.xml
      
      <Connector name="Agent" port="9443" maxHttpHeaderSize="8192"
              ...
              ...
              sslOptions="ssl2=false,ssl3=false,tls=true"
              strictCiphers="true"
              ...
      >
    15. Enable FIPS mode in the NSS software database.
      modutil -dbdir /var/lib/pki-ca/alias -fips true
    16. Verify that FIPS mode has been enabled. The command will return the current FIPS status.
      modutil -dbdir /var/lib/pki-ca/alias modutil -dbdir . -chkfips true
          
      FIPS mode enabled.
    17. Start the CA.
      service pki-ca start