1.0 Introduction
Fortanix-Data-Security-Manager (DSM) can securely generate or import an RSA and EC keys. A common use case involves generating a certificate request using this key.
2.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
2.1 Signing Up
To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
2.2 Creating an Account
Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.
.png?sv=2022-11-02&spr=https&st=2025-06-02T22%3A28%3A06Z&se=2025-06-02T22%3A44%3A06Z&sr=c&sp=r&sig=qWXhglDSgjFBhlsktZLn8IyBms0pMwalKWTXn8S0YNI%3D)
Figure 1: Logging in
For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.
2.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.
Figure 2: Add groups
On the Adding new group page, do the following:
Title: Enter a title for your group.
Description (optional): Enter a short description of the group.
Click SAVE to create the new group.
The new group is added to the Fortanix DSM successfully.
2.4 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.
Figure 3: Add application
On the Adding new app page, enter the following details:
App name: Enter the name for your application.
ADD DESCRIPTION (optional): Enter a short description of the application.
Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication documentation.
Assigning the new app to groups: Select the group created in Section 2.3: Creating a Group from the list.
Click SAVE to add the new application.
The new application is added to the Fortanix DSM successfully.
2.5 Copying the API Key
Perform the following steps to copy the API key from the Fortanix DSM:
In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 2.4: Creating an Application to go to the detailed view of the app.
On the INFO tab, click VIEW API KEY DETAILS.
From the API Key Details dialog box, copy the API Key of the app to be used in Section 5.0: Generating a Certificate Request in Linux using OpenSSL and PKCS#11.
2.6 Creating a Security Object
Perform the following steps to generate an RSA key in the Fortanix DSM:
In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.
Figure : Adding security object
On the Add new Security Object page, do the following:
Security Object name: Enter the name for your security object. For example, test-key.
Group: Select the group as created in Section 2.3: Creating a Group.
Select the GENERATE radio button.
In the Choose a type section, select the RSA key type.
In the Key Size section, select the size of the key in bits.
In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.
Click GENERATE to create the new security object.
The new security object is added to the Fortanix DSM successfully.
3.0 Generating a Certificate Request in Windows Using CNG
Perform the following steps to generate a Certificate Signing Request (CSR) using the Fortanix CNG (Cryptography Next Generation) provider for an existing key stored in Fortanix DSM:
NOTE
Ensure you have the Fortanix DSM CNG library installed and configured on your Windows machine. For more information, refer to the Clients: Microsoft CNG Key Storage Provider.
Run the following command to list all keys and verify that
test-key
exists in Fortanix DSM:certutil -csp “Fortanix KMS CNG Provider” -key
Run the following commands to create
req.inf
configuration file and define the certificate request parameters:[NewRequest] Subject = "CN=mydomain.com" KeyContainer = "test-key" ; Uncomment the following file if using the machine key storage ; MachineKeySet = true ProviderName = "Fortanix KMS CNG Provider" UseExistingKeySet = true
Where,
KeyContainer
must match the name of the key stored in Fortanix DSM.Set
MachineKeySet
=true
only if you're using the machine key store.
Run the following command to generate the CSR using the parameters defined in
req.inf
. The CSR will be saved in the fileout.csr
:certreq -new req.inf out.csr
4.0 Generating a Certificate Request in Linux using OpenSSL and PKCS#11
You must generate a certificate signing request (CSR) on a Linux machine using an existing key stored in Fortanix DSM. You can integrate OpenSSL with the Fortanix PKCS#11 library. This process ensures that the private key operations remain secure within the Fortanix DSM boundary, while still leveraging OpenSSL’s CSR generation capabilities.
NOTE
Ensure that the following components are installed on your Linux system:
OpenSSL
OpenSSL PKCS#11 Engine:
On Debian-based distributions (for example, Ubuntu), install it using:
bashCopyEditsudo apt install libengine-pkcs11-openssl
On RHEL-based systems (for example, CentOS, Fedora), install it using:
bashCopyEditsudo yum install engine_pkcs11
Ensure the EPEL repository is enabled if the package is not found.
Fortanix DSM PKCS#11 Library: For more information how how to install and configure the library for your system, refer to the Clients: PKCS#11 Supported Functions and Mechanisms.
Perform the following steps:
Create a configuration file named
openssl-fortanix-sdkms.cnf
with the following contents. This file tells OpenSSL how to interface with the Fortanix PKCS#11 engine:openssl_conf = openssl_def [openssl_def] engines = engine_section [req] distinguished_name = req_distinguished_name [req_distinguished_name] # empty. [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so PIN = init = 0
Where,
Replace the
PIN
field with your Fortanix DSM API key as copied in Section 2.5: Copying the API Key.Set the
OPENSSL_CONF
environment variable to point to this file.
Before running OpenSSL, export the configuration file path to the
OPENSSL_CONF
environment variable:export OPENSSL_CONF=openssl-fortanix-sdkms.cnf
Run the following command to generate a CSR for the key named
test-key
. This command uses the label assigned to your key in Fortanix DSM:openssl req -engine pkcs11 -keyform engine -new -key label_test-key -nodes -sha256 -out out.csr -subj /CN=mydomain.com
Where,
Replace
label_test-key
with the correct label of your Fortanix DSM key.Update the subject (
/CN=mydomain
) as needed for your environment.
5.0 Generating a Certificate Request in Java using JCE Provider
You must install the Fortanix DSM JCE provider on your system to generate a CSR in Java. For more information, refer to the Clients: Java Cryptography Extension (JCE) Provider.
The following is a sample code to generate the CSR:
import sun.security.pkcs10.PKCS10;
import sun.security.x509.X500Name;
import javax.security.auth.x500.X500Principal;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
import java.security.Signature;
public class GenerateCSR {
public static void main(String[] args) throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "sdkms-jce");
keyGen.initialize(2048);
KeyPair keypair = keyGen.generateKeyPair(); // one can use an existing keypair as well.
PublicKey publicKey = keypair.getPublic();
PKCS10 pkcs10 = new PKCS10(publicKey);
// common, orgUnit, org, locality, state, country
X500Principal principal = new X500Principal("CN=Mydomain.com, OU=MyOrganization, O=MyUnit, C=US");
X500Name x500name = null;
x500name = new X500Name(principal.getEncoded());
Signature signature = Signature.getInstance("SHA256withRSA", "sdkms-jce");
signature.initSign(keypair.getPrivate());
pkcs10.encodeAndSign(x500name, signature);
pkcs10.print(System.out); // This is the CSR in pem format
}
}