Generating Certificates using a Fortanix Data Security Manager key

Overview

The Fortanix Data Security Manager (DSM) can securely generate or import an RSA and EC keys. A common use case involves generating a certificate request using this key.

This article describes how to generate a certificate request from a key in Fortanix DSM.

Generating an asymmetric key

There are many ways to generate a key in Fortanix DSM - using the REST APIs, using one of the supported clients, or by simply using the web UI.

For the rest of this article, let’s assume that the name of the key is test-key. The key may be RSA or EC.

You will need an application in the Fortanix DSM web interface to use with the keys you create. If you don’t yet have an application, see Getting Started for instructions on how to create one.

Generating a certificate request in Windows using CNG

To use the CNG provider to generate a CSR for an existing key, you need to have the following software installed on your Windows machine:

• Fortanix DSM CNG library. See CNG Developers Guide for how to install and configure the library.

Run the following command to list all keys and verify that test-key exists in Fortanix DSM.

certutil -csp “Fortanix KMS CNG Provider” -key

Create a configuration file req.inf based on the following template

[NewRequest]
Subject = "CN=mydomain.com"
KeyContainer = "test-key"
; Uncomment the following file if using the machine key storage
; MachineKeySet = true
ProviderName = "Fortanix KMS CNG Provider"
UseExistingKeySet = true

Now, run the following command to generate the certificate request for a key named test-key and write it to a file out.csr:

certreq -new req.inf out.csr

Generating a certificate request in Linux using OpenSSL and PKCS#11

To use OpenSSL to generate a certificate request (CSR) for an existing key, you need the following software installed on your Linux machine:

• OpenSSL
• The OpenSSL PKCS#11 engine. On Debian-based Linux distributions (including Ubuntu), you can install it with sudo apt install libengine-pkcs11-openssl. On CentOS, RHEL, or Fedora, you can install it with yum install engine_pkcs11 if you have the EPEL repository available.
• The Fortanix DSM PKCS#11 library. See PKCS#11 Developers Guide for how to install and configure the library.

Create an OpenSSL configuration file openssl-fortanix-sdkms.cnf based on the following template.

• Replace <API key> with the API key for your application, which you can retrieve from the applications page in the web interface.
• Set the OPENSSL_CONF environment variable to point to this file.

openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
# empty.

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so
PIN = <API key>
init = 0

Now, run the following command to generate the certificate request for a key named test-key and write it to a file out.csr:

openssl req -engine pkcs11 -keyform engine -new -key label_test-key -nodes -sha256 -out out.csr -subj /CN=mydomain.com

Generating a certificate request in Java using JCE Provider

To generate a CSR in Java, you need to install Fortanix DSM JCE provider on your system. The instructions for installation are at the JCE Developer Guide.

Following is the sample code to generate the CSR:

import sun.security.pkcs10.PKCS10;
import sun.security.x509.X500Name;

import javax.security.auth.x500.X500Principal;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
import java.security.Signature;

public class GenerateCSR {

    public static void main(String[] args) throws Exception {
        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "sdkms-jce");
        keyGen.initialize(2048);
        KeyPair keypair = keyGen.generateKeyPair(); // one can use an existing keypair as well.
        PublicKey publicKey = keypair.getPublic();

        PKCS10 pkcs10 = new PKCS10(publicKey);

        // common, orgUnit, org, locality, state, country
        X500Principal principal = new X500Principal("CN=Mydomain.com, OU=MyOrganization, O=MyUnit, C=US");

        X500Name x500name = null;
        x500name = new X500Name(principal.getEncoded());

        Signature signature = Signature.getInstance("SHA256withRSA", "sdkms-jce");
        signature.initSign(keypair.getPrivate());
        pkcs10.encodeAndSign(x500name, signature);
        pkcs10.print(System.out); // This is the CSR in pem format
    }
}