14.4. Importing a certificate into an HSM

This procedure describes how to import a certificate into an HSM after gaining a newly issued certificate (such as when a system certificate is renewed) whose keys were generated on the same HSM token as the process of creating a CSR.
Before beginning, please change directories into the NSS DB:
  • cd /path/to/nssdb for example cd /var/lib/pki/pki-ca/alias
Ensure that your web service is taken offline (stopped, disabled, etc.) while performing these steps and ensure no concurrent access to the NSS DB by other processes (such as a browser). Doing so may corrupt the NSS DB or result in improper usage of these certificates.
If you have not imported and trusted the root certificate, see Section 14.2, “Importing a Root Certificate”. If you have not imported and validated the intermediate certificates, see Section 14.3, “Importing an Intermediate Certificate Chain”.
Note that which set of instructions you follow will depend on the usage for the certificate in question.
  • For TLS server certs for all PKI substems, follow the server certificate steps.
  • For any subsystem's audit signing cert, follow the steps below for validating an object Signing certificate.
  • For the CA subsystem's signing cert, follow the steps above for importing and validating an intermediate certificate chain, but do so only with the caSigningCert.
  • For the CA subsystem's OCSP signing cert, follow the steps below for validating an OCSP certificate.
  • For all other system certs of the PKI subsystems, follow the Client Certificate steps.
For more information about the certutil and PKICertImport options used below, see Section 14.1, “About certutil and PKICertImport.

To import a server certificate on the HSM:

  • Execute PKICertImport -d . -h HSM -n "host.name.example.com" -t ",," -a -i service.crt -u V
    This command validates and imports the server certificate onto the HSM. The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. The certificate usually fails to validate due to expiry of a parent certificate or a missing CA trust chain (such as a missing intermediate certificate or a missing CA Root). If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.

To import a client certificate on the HSM:

  • Execute PKICertImport -d . -h HSM -n "client name" -t ",," -a -i client.crt -u C
    This command validates and imports the client certificate onto the HSM. The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.

To import an object signing certificate on the HSM:

  • Execute PKICertImport -d . -h HSM -n "certificate name" -t ",,P" -a -i objectsigning.crt -u J
    This command validates and imports the object signing certificate onto the HSM. The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.

To import an OCSP response signing certificate on the HSM:

  • Execute PKICertImport -d . -h HSM -n "certificate name" -t ",," -a -i ocsp.crt -u O
    This command validates and imports the OCSP responder certificate onto the HSM. The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.