9.3.3. Using ECC with an HSM

The HSMs supported by Certificate System (LunaSA and nCipher) support their own native ECC modules. This means that it is not necessary to load an independent ECC module for use with an HSM, but it is still necessary to configure the subsystem to use the ECC module with the token.
  1. Install the cryptographic device, using the manufacturer's instructions. Be sure to name the token something that will help identify it easily later.
  2. Install the PKCS #11 module on the subsystem using the modutil command-line utility.
    1. Open the alias directory for the subsystem which is being configured with the PKCS #11 module:
      cd /var/lib/instance_name/alias
    2. The required security module database file, secmod.db, should be created by default when the subsystem is created. If it does not exist, use the modutil utility to create secmod.db.
      modutil -dbdir . -nocertdb -create
    3. Use the modutil utility to set the library information.
      modutil -dbdir . -nocertdb /  -add module_name -libfile library_file
      library_file specifies the path to the library file containing the PKCS #11 interface module and module_name gives the name of the PKCS #11 module which was set when the drivers were installed.
      • For the LunaSA HSM, the library can be /usr/lunasa/lib/libCryptoki2_64.so or /usr/lunasa/lib/libCryptoki2.so:
        modutil -dbdir . -nocertdb -add lunasa -libfile /usr/lunasa/lib/libCryptoki2.so
      • For an nCipher HSM:
        modutil -dbdir . -nocertdb -add nethsm -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so
  3. Install the instance, but do not go through the configuration wizard.
  4. Stop the instance.
    service instance_name stop
  5. Edit the CS.cfg configuration and add a line to require signature verification. In this file, spaces and special characters do not need to be escaped. For example:
    ca.requestVerify.token=module name
  6. Start the instance.
    service instance_name start
  7. Continue with the instance configuration, with two important configuration settings:
    • In the Key Store panel, the ECC module should be listed as an available token. Select that module for the key store.
    • In the Key Pairs panel, ECC should be listed as an option to use to generate the keys used for the CA's certificates. Select the ECC key type.
Section 6.3.9, “Setting up HSMs for Storing Certificate System Subsystem Keys and Certificates” describes how to set up a hardware token to use with a subsystem.