By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

how to get key handle in v5 cloudhsm SDK

0

I'm running the v5 cloudsdk with the openssl dynamic engine. I want to create a CSR.

openssl req -engine cloudhsm -keyform engine -new -out my-csr.csr -subj "/CN=Example /O=example.com" -key "handle:1"

My question is: where in the v5 SDK can I find a key handle? I don't have access to the v3 tools like the KMU/CMU tools.

Topics
Security, Identity, & Compliance
Tags
AWS CloudHSM
Language
English
koehn
asked a month ago67 views
1 Answer
0

In AWS CloudHSM Client SDK 5, there are a few ways to obtain key handles without using the older Key Management Utility (KMU) or Cryptographic Management Utility (CMU) tools:

  1. CloudHSM CLI: The latest versions of Client SDK 5 (starting from version 5.10.0) include enhanced key management functionality in the CloudHSM CLI. You can use this CLI to list keys and obtain their handles.

  2. OpenSSL Dynamic Engine: When using the OpenSSL Dynamic Engine with CloudHSM, you can generate a key and obtain its handle in a single step. For example:

    openssl genrsa -out rsa_private_key.pem -f4 -engine cloudhsm 2048

    This command creates a new RSA key in your CloudHSM cluster and generates a fake PEM file. The fake PEM file contains information about the key, including its handle.

  3. Custom Code: If you're comfortable with programming, you can use the PKCS#11 library or Java SDK provided with Client SDK 5 to write custom code that lists keys and retrieves their handles.

  4. Keytool: For Java-based applications, you can use the keytool utility with the CloudHSM keystore to manage keys. While keytool doesn't directly expose key handles, it uses aliases that are often derived from the key labels in the HSM.

Remember that when you create a new key using these methods, you should take note of the handle assigned to it. For existing keys, you may need to list all keys and identify the one you need based on its attributes or label.

For your specific use case of creating a CSR, you can generate the key and CSR in one step using the OpenSSL Dynamic Engine, which will automatically use the correct key handle:

openssl req -engine cloudhsm -keyform engine -new -out my-csr.csr -subj "/CN=Example /O=example.com" -newkey rsa:2048

This command generates a new 2048-bit RSA key in the HSM and creates a CSR for it, without you needing to specify the key handle explicitly.
Sources
How to retrieve CloudHSM partition and key info using SDK 5 | AWS re:Post
AWS CloudHSM SDK5 Keystore aliases | AWS re:Post

profile picture
re:Post Agent
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content