Generating Certificates using a Fortanix Data Security Manager Key

1.0 Introduction

Fortanix-Data-Security-Manager (DSM) can securely generate or import an RSA and EC keys. A common use case involves generating a certificate request using this key.

2.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

2.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

2.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

2.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a title for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

2.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, enter the following details:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication documentation.

   4. Assigning the new app to groups: Select the group created in Section 2.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

2.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 2.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to be used in Section 5.0: Generating a Certificate Request in Linux using OpenSSL and PKCS#11.

2.6 Creating a Security Object

Perform the following steps to generate an RSA key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object name: Enter the name for your security object. For example, test-key.

   2. Group: Select the group as created in Section 2.3: Creating a Group.

   3. Select the GENERATE radio button.

   4. In the Choose a type section, select the RSA key type.

   5. In the Key Size section, select the size of the key in bits.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

3. Click GENERATE to create the new security object.

3.0 Generating a Certificate Request in Windows Using CNG

Perform the following steps to generate a Certificate Signing Request (CSR) using the Fortanix CNG (Cryptography Next Generation) provider for an existing key stored in Fortanix DSM:

NOTE

Ensure you have the Fortanix DSM CNG library installed and configured on your Windows machine. For more information, refer to the Clients: Microsoft CNG Key Storage Provider.

1. Run the following command to list all keys and verify that test-key exists in Fortanix DSM:

   certutil -csp “Fortanix KMS CNG Provider” -key

2. Run the following commands to create req.inf configuration file and define the certificate request parameters:

   [NewRequest]
   Subject = "CN=mydomain.com"
   KeyContainer = "test-key"
   ; Uncomment the following file if using the machine key storage
   ; MachineKeySet = true
   ProviderName = "Fortanix KMS CNG Provider"
   UseExistingKeySet = true

   Where,

   • KeyContainer must match the name of the key stored in Fortanix DSM.

   • Set MachineKeySet = true only if you're using the machine key store.

3. Run the following command to generate the CSR using the parameters defined in req.inf. The CSR will be saved in the file out.csr:

   certreq -new req.inf out.csr

4.0 Generating a Certificate Request in Linux using OpenSSL and PKCS#11

You must generate a certificate signing request (CSR) on a Linux machine using an existing key stored in Fortanix DSM. You can integrate OpenSSL with the Fortanix PKCS#11 library. This process ensures that the private key operations remain secure within the Fortanix DSM boundary, while still leveraging OpenSSL’s CSR generation capabilities.

NOTE

Ensure that the following components are installed on your Linux system:

• OpenSSL

• OpenSSL PKCS#11 Engine:

  • On Debian-based distributions (for example, Ubuntu), install it using:

    bashCopyEditsudo apt install libengine-pkcs11-openssl

  • On RHEL-based systems (for example, CentOS, Fedora), install it using:

    bashCopyEditsudo yum install engine_pkcs11

    Ensure the EPEL repository is enabled if the package is not found.

• Fortanix DSM PKCS#11 Library: For more information how how to install and configure the library for your system, refer to the Clients: PKCS#11 Supported Functions and Mechanisms.

Perform the following steps:

1. Create a configuration file named openssl-fortanix-sdkms.cnf with the following contents. This file tells OpenSSL how to interface with the Fortanix PKCS#11 engine:

   openssl_conf = openssl_def
   
   [openssl_def]
   engines = engine_section
   
   [req]
   distinguished_name = req_distinguished_name
   
   [req_distinguished_name]
   # empty.
   
   [engine_section]
   pkcs11 = pkcs11_section
   
   [pkcs11_section]
   engine_id = pkcs11
   dynamic_path = /usr/lib/engines/engine_pkcs11.so
   MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so
   PIN = 
   init = 0

   Where,

   • Replace the PIN field with your Fortanix DSM API key as copied in Section 2.5: Copying the API Key.

   • Set the OPENSSL_CONF environment variable to point to this file.

2. Before running OpenSSL, export the configuration file path to the OPENSSL_CONF environment variable:

   export OPENSSL_CONF=openssl-fortanix-sdkms.cnf

3. Run the following command to generate a CSR for the key named test-key. This command uses the label assigned to your key in Fortanix DSM:

   openssl req -engine pkcs11 -keyform engine -new -key label_test-key -nodes -sha256 -out out.csr -subj /CN=mydomain.com

   Where,

   • Replace label_test-key with the correct label of your Fortanix DSM key.

   • Update the subject (/CN=mydomain) as needed for your environment.

5.0 Generating a Certificate Request in Java using JCE Provider

You must install the Fortanix DSM JCE provider on your system to generate a CSR in Java. For more information, refer to the Clients: Java Cryptography Extension (JCE) Provider.

The following is a sample code to generate the CSR:

import sun.security.pkcs10.PKCS10;
import sun.security.x509.X500Name;

import javax.security.auth.x500.X500Principal;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
import java.security.Signature;

public class GenerateCSR {

    public static void main(String[] args) throws Exception {
        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "sdkms-jce");
        keyGen.initialize(2048);
        KeyPair keypair = keyGen.generateKeyPair(); // one can use an existing keypair as well.
        PublicKey publicKey = keypair.getPublic();

        PKCS10 pkcs10 = new PKCS10(publicKey);

        // common, orgUnit, org, locality, state, country
        X500Principal principal = new X500Principal("CN=Mydomain.com, OU=MyOrganization, O=MyUnit, C=US");

        X500Name x500name = null;
        x500name = new X500Name(principal.getEncoded());

        Signature signature = Signature.getInstance("SHA256withRSA", "sdkms-jce");
        signature.initSign(keypair.getPrivate());
        pkcs10.encodeAndSign(x500name, signature);
        pkcs10.print(System.out); // This is the CSR in pem format
    }
}