Generating Certificates using a Fortanix Data Security Manager Key

1.0 Introduction

Fortanix-Data-Security-Manager (DSM) can securely generate or import an RSA and EC keys. A common use case involves generating a certificate request using this key.

This article describes how to generate a certificate request from a key in Fortanix DSM.

2.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

2.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

2.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

2.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

2.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 2.3: Creating a Group from the list.

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

2.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in Section 2.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. From the API Key Details dialog box, copy the API Key of the app to be used in Section 5.0: Generating a Certificate Request in Linux using OpenSSL and PKCS#11.

3.0 Generating an Asymmetric Key

There are many ways to generate a key in Fortanix DSM - using the REST APIs, using one of the supported clients, or by simply using the web UI.

For the rest of this article, let’s assume that the name of the key is test-key. The key may be RSA or EC.

You will need an application in the Fortanix DSM web interface to use with the keys you create. If you don’t yet have an application, see Getting Started for instructions on how to create one.

4.0 Generating a Certificate Request in Windows Using CNG

To use the CNG provider to generate a Certificate Signing Request (CSR) for an existing key, you need to have the following software installed on your Windows machine:

• Fortanix DSM CNG library. See CNG Developers Guide for how to install and configure the library.

Run the following command to list all keys and verify that test-key exists in Fortanix DSM.

certutil -csp “Fortanix KMS CNG Provider” -key

Create a configuration file req.inf based on the following template

[NewRequest]
Subject = "CN=mydomain.com"
KeyContainer = "test-key"
; Uncomment the following file if using the machine key storage
; MachineKeySet = true
ProviderName = "Fortanix KMS CNG Provider"
UseExistingKeySet = true

Now, run the following command to generate the certificate request for a key named test-key and write it to a file out.csr:

certreq -new req.inf out.csr

5.0 Generating a Certificate Request in Linux using OpenSSL and PKCS#11

To use OpenSSL to generate a certificate request (CSR) for an existing key, you need the following software installed on your Linux machine:

• OpenSSL

• The OpenSSL PKCS#11 engine. On Debian-based Linux distributions (including Ubuntu), you can install it with sudo apt install libengine-pkcs11-openssl. On CentOS, RHEL, or Fedora, you can install it with yum install engine_pkcs11 if you have the EPEL repository available.

• The Fortanix DSM PKCS#11 library. See PKCS#11 Developers Guide for how to install and configure the library.

Create an OpenSSL configuration file openssl-fortanix-sdkms.cnf based on the following template.

• Replace <API key> with the API key for your application, which you can retrieve from the applications page in the web interface.

• Set the OPENSSL_CONF environment variable to point to this file.

openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
# empty.

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so
PIN = 
init = 0

Now, run the following command to generate the certificate request for a key named test-key and write it to a file out.csr:

openssl req -engine pkcs11 -keyform engine -new -key label_test-key -nodes -sha256 -out out.csr -subj /CN=mydomain.com

6.0 Generating a Certificate Request in Java using JCE Provider

To generate a CSR in Java, you need to install Fortanix DSM JCE provider on your system. The instructions for installation are at the JCE Developer Guide.

Following is the sample code to generate the CSR:

import sun.security.pkcs10.PKCS10;
import sun.security.x509.X500Name;

import javax.security.auth.x500.X500Principal;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
import java.security.Signature;

public class GenerateCSR {

    public static void main(String[] args) throws Exception {
        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "sdkms-jce");
        keyGen.initialize(2048);
        KeyPair keypair = keyGen.generateKeyPair(); // one can use an existing keypair as well.
        PublicKey publicKey = keypair.getPublic();

        PKCS10 pkcs10 = new PKCS10(publicKey);

        // common, orgUnit, org, locality, state, country
        X500Principal principal = new X500Principal("CN=Mydomain.com, OU=MyOrganization, O=MyUnit, C=US");

        X500Name x500name = null;
        x500name = new X500Name(principal.getEncoded());

        Signature signature = Signature.getInstance("SHA256withRSA", "sdkms-jce");
        signature.initSign(keypair.getPrivate());
        pkcs10.encodeAndSign(x500name, signature);
        pkcs10.print(System.out); // This is the CSR in pem format
    }
}