How can I use CloudHSM certificates for a client end-to-end encrypted connection?

2 minute read

I want to know how the AWS CloudHSM client end-to-end encryption works, and what hardware security modules (HSM) certificates to use.

Short description

The following nested TLS connections establish the end-to-end encrypted connection between the CloudHSM client and HSM within a CloudHSM cluster:

Server TLS connection
HSM TLS connection

For information, see AWS CloudHSM client end-to-end encryption.

Resolution

Server TLS connection

The client establishes a TLS connection to the server that hosts the HSM hardware. This is a two-way TLS connection between the server and client.

The server sends a self-signed certificate. Run the following command to view the self-signed certificate details:

 openssl s_client -connect <HSM_IP>:2223 2> /dev/null | openssl x509 -subject -issuer -serial -noout

Example output:

subject= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com
issuer= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com
serial=B7FA7A40976CBE82

The HSM client verifies that the certificate authority (CA) trust store that's bundled within the CloudHSM client libraries includes this certificate.

The HSM client sends the client certificate to the server. The server verifies that the client certificate comes from one of the following sources:

The default certificate that the CloudHSM client library includes.
A certificate that customerCA.crt issues.

HSM TLS connection

The second TLS connection from the client to the HSM occurs within the first TLS connection layer. During cluster initialization, the HSM issues the CloudHSM cluster certificate and sends it to the client.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To download the cluster certificate, run the following describe-clusters command:

aws cloudhsmv2 describe-clusters --query "Clusters[?ClusterId=='CLUSTER_ID'].Certificates.ClusterCertificate" --output text

Note: Replace CLUSTER_ID with your cluster ID.

The HSM client verifies whether customerCA.crt issued the certificate.

If you activate mutual TLS (mTLS), then the client sends a client certificate chain to the HSM. The HSM verifies the certificate chain based on the trust anchor that's registered during the mTLS setup.

Note: The self-signed server certificate, the CloudHSM cluster certificate, and customerCA.crt can't be changed or renewed.

Topics: Security, Identity, & Compliance
Tags: AWS CloudHSM
Language: English

AWS OFFICIALUpdated 21 days ago

No comments

Relevant content

How cloudHSM encrypt and decrypt files?
rePost-User-5667831
asked 2 years ago
cloudHSM : Does the default ssl key and certificate can be disable at the cloudHSM side?
rePost-User-5582309
asked 2 years ago
Importing Certificate signed using CloudHSM key on Linux into a Windows instance using the CloudHSM KSP
MattP
asked 9 months ago
How to update the certificate in cloudhsm keystore using AWS cloudhsm functionality?
GJ
asked 2 years ago
M of N authentication for signing/encrypting operations
Accepted Answer
rePost-User-8443117
asked 6 years ago
How can I resolve the errors "Daemon socket connection error" or "Invalid Operation" for my CloudHSM client?
AWS OFFICIALUpdated 2 years ago
How can I resolve connection issues between the CloudHSM client and the CloudHSM cluster?
AWS OFFICIALUpdated 2 years ago
How do I resolve the CloudHSM error "InitializeCluster request failed: CloudHsmInvalidRequestException - TrustAnchor provided is not a valid x509 certificate"?
AWS OFFICIALUpdated 2 years ago
How do I use OpenSSL and the CloudHSM Command Line Tool to securely transfer my keys to CloudHSM?
AWS OFFICIALUpdated 6 months ago
AWS Transfer Family supports self-signed TLS certificates and 3DES encryption for sending AS2 messages
EXPERT
AWS Transfer Family
published 2 years ago