OpenSSL
This guide outlines step-by-step instructions for seamlessly integrating OpenSSL with a Luna HSM device or Luna Cloud HSM service. OpenSSL, an open-source project with a cryptographic library and SSL/TLS toolkit, provides powerful command-line tools for symmetric encryption, public-key encryption, and digital signing hash. Integration with Luna HSMs, powered by the Gem Engine, enables OpenSSL to efficiently access HSM resources, enhancing performance and security.
The key benefits of this integration are:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
Platforms supported by Luna HSM
| OpenSSL Toolkit | Platform Tested |
|---|---|
| GemEngine 1.6 | Windows Server 2022 RHEL 9 RHEL 8 |
| GemEngine 1.5 | Windows Server 2019 RHEL 9 RHEL 8 |
| GemEngine 1.4 | Windows Server 2019 RHEL 8 |
| GemEngine 1.3 GemEngine 1.2 |
Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 RHEL 7 |
This integration been tested using Luna Client in both High Availability (HA) and FIPS-compliant modes.
Platforms supported by Luna Cloud HSM
| OpenSSL Toolkit | Platform Tested |
|---|---|
| GemEngine 1.6 | Windows Server 2022 RHEL 8 |
| GemEngine 1.5 | Windows Server 2019 RHEL 8 |
| GemEngine 1.3 | Windows Server 2019 Windows Server 2016 RHEL 7 |
Prerequisites
The prerequisites for this integration are:
Set up Luna HSM
As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.
Set up On-Premise Luna HSM
Follow these steps to set up your on-premise Luna HSM:
Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.
Create a partition that will be later on used by OpenSSL.
Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.
Initialize Crypto Officer and Crypto User roles for the registered partition.
Run the following command to verify that the partition has been successfully registered and configured:
/usr/safenet/lunaclient/bin/lunacm
Upon successful execution, you should observe an output similar to the example provided below:
lunacm (64-bit) v10.5.1-174. Copyright (c) 2022 Thales Group. All rights reserved. Available HSMs: Slot Id -> 0 Label -> TPA01 Serial Number -> 1312109862206 Model -> LunaSA 7.7.1 Firmware Version -> 7.7.1 Bootloader Version -> 1.1.2 Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> Non-FM
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
For proper configuration of a PED-based Luna HSM, it is recommended to activate partition policies 22 and 23, allowing for both activation and auto-activation.
Set up Luna HSM High-Availability Group
Refer to Luna HSM documentation for HA steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.
Set up Luna HSM in FIPS Mode
To configure Luna HSM in FIPS Mode, it's important to ensure that your RSA key generation methods comply with FIPS 186-3/4 standards. Specifically, FIPS 186-3/4 approves two methods for generating keys: 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation methods are no longer allowed when operating your Luna HSM in a FIPS-compliant mode. When using the Luna HSM in FIPS mode, you should make adjustments to your configuration settings by following these steps:
Open the configuration file for your Luna HSM.
Look for the [Misc] section within the configuration file.
Add or modify the following setting within the [Misc] section:
RSAKeyGenMechRemap=1
This setting instructs the Luna HSM to redirect older key generation mechanisms to the newly approved mechanism when the HSM is operating in FIPS mode.
This adjustment is not necessary for the Universal Client.
This configuration change applies exclusively to Luna Client 7.x.
Set up Luna Cloud HSM
Follow these steps to set up your Luna Cloud HSM:
Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means
This integration has been certified on the RHEL platform.
Extract the .zip file into a directory on your client workstation.
Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.
tar -xvf cvclient-min.tar
Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.
source ./setenv
To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.
Run the LunaCM utility and verify that the Cloud HSM service is listed.
If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.
Set up OpenSSL toolkit
To seamlessly set up the OpenSSL toolkit with Gem Engine support, follow these steps:
Download the OpenSSL toolkit from the Thales Customer Support Portal, ensuring it includes Gem Engine support:
-
GemEngine v1.6: Doc ID KB0026742
-
GemEngine v1.5: Doc ID KB0024584
-
GemEngine v1.3: Doc ID KB0017806
-
GemEngine v1.2: Doc ID KB0016309
Familiarize yourself with OpenSSL by referring to the OpenSSL Documentation.
Integrate Luna HSM with OpenSSL using Gem Engine
For a seamless integration of Luna HSM with OpenSSL using Gem Engine, execute one of the following series of steps, depending on your environment:
Integrate OpenSSL with Luna HSM on UNIX
To integrate OpenSSL with Luna HSM on UNIX, use the following steps:
Install and configure OpenSSL toolkit on UNIX
To install and configure OpenSSL toolkit on UNIX, follow one of the scenarios below as per your requirements:
-
Scenario A: Integrate a pre-built dynamic engine with an existing OpenSSL installation
-
Scenario B: Compile the dynamic engine and integrate it with an existing OpenSSL installation
-
Scenario C: Compile and install OpenSSL from source and compile and install Gem Engine
-
Scenario D: Configure OpenSSL to enable Gem Engine by default
Scenario A: Integrate a pre-built dynamic engine with an existing OpenSSL installation
Follow these steps to integrate a pre-built dynamic engine with an existing OpenSSL installation:
Extract the Gem Engine toolkit and go to the Gem Engine directory.
Find the libgem.so or gem.so and sautil binaries in the builds/linux/<distributor>/<bit_version>/<OpenSSL_version> directory. For example: builds/linux/rhel/64/3.0/.
For OpenSSL version 1.1.x onwards, the dynamic engine library is gem.so.
Use gembuild to locate the OpenSSL Engines directory.
./gembuild locate-engines
Copy the libgem.so or gem.so to the OpenSSL engines directory to install the Gem Engine. For instance:
cp <gem-engine directory>/builds/linux/rhel/64/3.0/gem.so /usr/lib64/engines-3
Copy the sautil utility to /usr/local/bin based on your OpenSSL version.
cp <gem-engine directory>/builds/linux/rhel/64/3.0/sautil /usr/local/bin
Run the sautil utility to ensure all options are listed.
/usr/local/bin/sautil
Add the openssl and sautil locations to the PATH environment variable if they are not in the system defaults.
export PATH=/usr/local/bin:$PATH
Add the openssl library location to the LD_LIBRARY_PATH environment variable if not present in system defaults.
export LD_LIBRARY_PATH=/usr/local/lib64:$LD_LIBRARY_PATH
Verify Gem Engine support.
openssl engine gem -v
Scenario B: Compile the dynamic engine and integrate it with an existing OpenSSL installation
Follow these steps to compile the dynamic engine and integrate it with an existing OpenSSL installation:
Ensure the system has a C compiler and access to the make utility.
Download and unzip the OpenSSL source from https://www.openssl.org/source/. Pick a version that closely matches your current OpenSSL installation. For example, if you have OpenSSL v1.1.1, download any version within the v1.1.x series.
tar xvfz openssl-x.x.x.tar.gz
Navigate to the Gem Engine directory to find the engine location for the existing OpenSSL. Note the OpenSSL Engine directory for the next command.
./gembuild locate-engines
Run gembuild config, providing the necessary inputs to compile the engine.
./gembuild config --openssl-source=<Path to extracted OpenSSL source directory> --openssl-engines=<Path to Engine directory from step 2> --config-bits=64
Install the OpenSSL development package on the system if it is not already installed. If the OpenSSL headers directory is not in the default location /usr/include, use the --openssl-includes option. If the libcrypto.so file is not in the default libs location, use the --openssl-libs option. For GemEngine 1.6, you can specify the major version of the OpenSSL build using the new option --openssl-api=<major>. Here are examples:
--openssl-api=3.0
--openssl-api=1.1.1
Install the required EC header files.
./gembuild openssl-ec-headers
Compile the engine.
./gembuild engine-build
If you encounter an issue, refer to the Troubleshooting section.
Install the Gem Engine.
./gembuild engine-install
Verify Gem Engine support.
openssl engine gem -v
Compile and install sautil. By default, it will be installed to /usr/local/bin/sautil. If you prefer a different location, you can either use the --sautil-prefix option during compilation or specify the desired directory with the ./gembuild sautil-install command.
./gembuild sautil-build
./gembuild sautil-install
Scenario C: Compile and install OpenSSL and Gem Engine
Proceed with the following instructions to compile and install OpenSSL from source, and subsequently, compile and install the Gem Engine:
Download openssl-x.x.xx.tar.gz.
tar xvfz openssl-x.x.xx.tar.gz
Download and extract the OpenSSL FIPS module if FIPS is enabled. Otherwise, proceed to the next step.
tar xvfz openssl-fips-2.0.x.tar.gz
This step is applicable until OpenSSL v1.0.2 and can be omitted for the latest OpenSSL versions.
Extract the Gem Engine toolkit, access the Gem Engine directory, and then execute the gembuild config command, making sure to include the --prefix option.
If you are using OpenSSL v1.0.2 with the FIPS module, incorporate --openssl-fips-source=<Path to openssl-fips-2.0.x> into the gembuild config command: ./gembuild config --openssl-source=<Path to extracted OpenSSL source directory> --prefix=/usr/local --config-bits=64
If you are utilizing GemEngine v1.3 or a later version to construct and install OpenSSL v1.0.2, make sure to include --compat-102 in the command mentioned above. It's important to note that GemEngine v1.6 no longer supports OpenSSL v1.0.2. Instead, it introduces a new option, --openssl-api=<major>, where <major> signifies the major version of the OpenSSL build. For example, --openssl-api=3.0 or --openssl-api=1.1.1.
Proceed to compile and install the FIPS module, if FIPS is enabled. Otherwise, move on to next step. Please note that this step is relevant for OpenSSL v1.0.2 and can be skipped for the latest OpenSSL versions.
./gembuild openssl-fips-build
./gembuild openssl-fips-install
Compile and install OpenSSL using the toolkit.
./gembuild openssl-build
./gembuild openssl-install
Compile and install the Gem dynamic engine and verify the engine.
./gembuild engine-build
./gembuild engine-install
/usr/local/ssl/bin/openssl engine gem -v
If you encounter any known issues, refer to the Troubleshooting section.
Compile and install sautil.
./gembuild sautil-build
./gembuild sautil-install
The sautil tool will be installed in the directory <prefix>/sautil/bin/sautil, where <prefix> is the directory specified in a previous step using the --prefix option. If you wish to choose a different location, use the --sautil-prefix option when running the /gembuild sautil-install command.
Add openssl and sautil locations to the PATH environment variable. For example:
export PATH=/usr/local/ssl/bin:/usr/local/sautil/bin:$PATH
Add the openssl library location to the LD_LIBRARY_PATH environment variable. For example:
export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH
Scenario D: Configure OpenSSL to enable Gem Engine by default
Follow these steps to configure OpenSSL to enable Gem Engine by default:
Open your terminal and type the following command to find the location where OpenSSL is installed:
openssl version -d
Make note of the OpenSSL directory location, indicated by OPENSSLDIR: "/usr/local/ssl".
Run the following command to discover the directory containing the Gem Engine files libgem.so or gem.so:
./gembuild locate-engines
Make note of this directory as it holds the Gem Engine files.
Ensure OpenSSL is set via the PATH environment variable. Verify with which openssl to ensure the correct configuration file is accessed.
Modify the openssl.cnf file as follows:
# Insert near the top of the file openssl.cnf:
openssl_conf = openssl_init
# Insert at the bottom of the file openssl.cnf:
[ openssl_init ]
engines = engine_section
[ engine_section ]
gem = gem_section
[ gem_section ]
dynamic_path = /usr/local/ssl/lib/engines/libgem.so
default_algorithms = ALL
Ensure the correct dynamic engine library is provided in dynamic_path.
Confirm that the Gem Engine is loaded as the default engine.
openssl engine -v
Check the application by generating a certificate request without using the engine parameter.
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Configure Gem Engine to use Luna HSM on UNIX
To set up Gem Engine for Luna HSM on UNIX, follow one of the tasks below, based on the type of Luna HSM you are using:
Configure Gem Engine for Luna HSM
To set up Gem Engine for Luna HSM, follow these steps:
Open the /etc/Chrystoki.conf file and include the following GemEngine section:
GemEngine = {
LibPath = /usr/safenet/lunaclient/lib/libCryptoki2.so;
LibPath64 = /usr/safenet/lunaclient/lib/libCryptoki2_64.so;
EnableDsaGenKeyPair = 1;
EnableRsaGenKeyPair = 1;
DisablePublicCrypto = 1;
EnableRsaSignVerify = 1;
EnableLoadPubKey = 1;
EnableLoadPrivKey = 1;
DisableCheckFinalize = 1;
DisableEcdsa = 1;
DisableDsa = 0;
DisableRand = 0;
EngineInit = <slot_id>:10:11;
}
Replace <slot_id> with the actual value of the physical or virtual slot.
Run the sautil utility to initiate a persistent sautil session on the Luna HSM slot:
/usr/local/bin/sautil -v -s <slot_id> -i 10:11 -o -q
If a persistent session is not required, alternative methods for login can be found in the README-GEM-CONFIG file located in the <GemEngine_Directory>/docs folder.
Configure Gem Engine for Luna Cloud HSM
Follow these steps to configure Gem Engine for Luna Cloud HSM:
Create a text file to store the partition crypto officer password:
echo <partition_password> > <path_to_my_passfile>/passfile
Open the /<ChrystokiConfigurationFile_Directory>/Chrystoki.conf file and insert the following in the GemEngine section:
GemEngine = {
LibPath = <path to LibCryptoki2.so>;
LibPath64 = <path to LibCryptoki2_64.so>;
EnableDsaGenKeyPair = 1;
EnableRsaGenKeyPair = 1;
DisablePublicCrypto = 1;
EnableRsaSignVerify = 1;
EnableLoadPubKey = 1;
EnableLoadPrivKey = 1;
DisableCheckFinalize = 1;
DisableEcdsa = 1;
DisableDsa = 0;
DisableRand = 0;
EngineInit = "<Partition Label>":0:0:passfile=<path_to_my_passfile>/passfile;
EnableLoginInit = 1;
}
```
Replace `<Partition Label>` with your partition label, and ensure that `passfile` points to the correct path for the file containing the Crypto Officer password.
{: .numbered }
In the Misc section of `Chrystoki.conf`, add the following flag and save the changes. Do not remove the default values already present in the Misc section:
{: .numbered }
```bash
Misc = {
FinalizeOnClose = 1;
}
Verify OpenSSL and Gem Engine Integration on UNIX
Follow these steps for verifying the integration of OpenSSL and Gem Engine on UNIX:
Generate Cryptographic Objects for OpenSSL CMS
To generate the necessary cryptographic objects for OpenSSL CMS, including the CA private key, CA certificate, and receiver and sender certificates:
Open the <OPENSSLDIR>/openssl.cnf file in a text editor, and within the [CA_default] section, make the following changes:
dir = /usr/local/ssl
new_certs_dir = $dir/certs
You can customize the dir parameter, but ensure to use the correct path in subsequent steps.
If the directory for saving certificates doesn't exist, create it:
mkdir -p /usr/local/ssl/certs
Create the text files /usr/local/ssl/index.txt and /usr/local/ssl/serial.
Open /usr/local/ssl/serial, insert the value 01 at the top of the file, and press the Enter key. Save the changes to the file.
Generate a 2048-bit private key for the Certificate Authority (CA) using the Gem Engine. The key is generated on the Luna HSM’s partition:
openssl genrsa -engine gem 2048
List the generated key pair using the cmu utility:
<LunaClient_Installation_Directory>/bin/cmu list
Example:
/usr/safenet/lunaclient/bin/cmu list
Provide the partition password when prompted and take note of the private key label for the CA keys.
Generate a CA certificate using the key created in a previous step for signing other certificates:
openssl req -engine gem -new -x509 -days 365 -key rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd -keyform engine -out /usr/local/ssl/certs/ca.cer
Replace rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd with the object label for the CA private key on Luna HSM or Luna Cloud HSM.
Create directories for generating certificate requests for the sender and receiver:
mkdir /usr/local/ssl/certs/sender
mkdir /usr/local/ssl/certs/receiver
Generate a certificate request for the sender:
openssl req -engine gem -newkey rsa:2048 -out /usr/local/ssl/certs/sender/sender.txt
The sender's request is used to generate the sender's certificate signed by the CA.
List the generated key pair using the cmu utility:
/usr/safenet/lunaclient/bin/cmu list
Provide the partition password when prompted and note down the private key label of sender keys.
Generate a certificate request for the receiver:
openssl req -engine gem -newkey rsa:2048 -out /usr/local/ssl/certs/receiver/receiver.txt
The receiver's request is used to generate the receiver's certificate signed by the CA.
List the generated key pair using the cmu utility:
/usr/safenet/lunaclient/bin/cmu list
Provide the partition password when prompted and note down the private key label of receiver keys.
Sign the certificate request of the sender by CA:
openssl ca -engine gem -policy policy_anything -cert /usr/local/ssl/certs/ca.cer -in /usr/local/ssl/certs/sender/sender.txt -keyfile rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd -keyform engine -out /usr/local/ssl/certs/sender/sender.cer
Replace rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd with the object label for the CA private key on Luna HSM or Luna Cloud HSM created in a previous step.
Sign the certificate request for the receiver by CA:
openssl ca -engine gem -policy policy_anything -cert /usr/local/ssl/certs/ca.cer -in /usr/local/ssl/certs/receiver/receiver.txt -keyfile rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd -keyform engine -out /usr/local/ssl/certs/receiver/receiver.cer
Replace rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd with the object label for the CA private key on Luna HSM or Luna Cloud HSM created in a previous step.
Use OpenSSL CMS cryptographic objects to sign, verify, encrypt, and decrypt a message
Follow these steps for using OpenSSL CMS to sign, verify, encrypt, and decrypt a message between a sender and receiver, all facilitated by the Gem Engine on Luna HSM or Luna Cloud HSM:
While OpenSSL CMS relies exclusively on RSA_PKCS, Luna Cloud HSM and Luna HSM firmware versions 7.7.2 onwards do not support RSA_PKCS for encryption/decryption when operating in FIPS mode. If your HSM is configured in FIPS mode, it is recommended to refer to APPENDIX A for guidance on executing the same cryptographic operations under these specific circumstances. This ensures compatibility and adherence to security protocols while utilizing the OpenSSL CMS.
Create a text file named message.txt.
Sign the message.txt file using the sender’s private key.
openssl cms -engine gem -sign -in message.txt -signer /usr/local/ssl/certs/sender/sender.cer -inkey rsa-private-7dfdb3caaf25a63b3d8a81d2a3b51668decafe0f -keyform engine -out sendmail.msg
Replace rsa-private-7dfdb3caaf25a63b3d8a81d2a3b51668decafe0f with the object label for the sender's private key.
Encrypt the sendmail.msg using the receiver’s public key.
openssl cms -engine gem -encrypt -in sendmail.msg -out sendmail_enc.msg /usr/local/ssl/certs/receiver/receiver.cer
Decrypt the sendmail_enc.msg using the receiver’s private key.
openssl cms -engine gem -decrypt -in sendmail_enc.msg -inkey rsa-private-ec0fcb1ce9114662556caab35fc2baf0565752ec -keyform engine -out sendmail_dec.msg
Replace rsa-private-ec0fcb1ce9114662556caab35fc2baf0565752ec with the object label for the receiver's private key.
Verify the signature of sendmail_dec.msg using the sender’s public key.
openssl cms -engine gem -verify -in sendmail_dec.msg -CAfile /usr/local/ssl/certs/ca.cer -out out.txt /usr/local/ssl/certs/sender/sender.cer
Open out.txt and compare its contents with message.txt. Both files should contain the same message, confirming successful cryptographic operations.
Close the sautil session if you are using Luna HSM slot.
/usr/local/bin/sautil -c -s <slot_id> -i 10:11 -q
The integration of OpenSSL with Luna HSM or Luna Cloud HSM using Gem Engine on UNIX is now complete.
Integrate OpenSSL with Luna HSM on Windows
To integrate OpenSSL with Luna HSM on Windows, use the following steps:
Install and configure OpenSSL toolkit on Windows
For installation and configuration of the OpenSSL toolkit on your Windows system, proceed through the following steps:
Go to the OpenSSL toolkit directory within <engine-directory>\builds\win. Extract the contents of sautil-win64-openssl-x.x.xx.tar.gz and ssl-win64-openssl-x.x.xx.tar.gz into the C:\ directory.
Enhance your system environment by adding C:\cygwin\usr\local\sautil\bin and C:\cygwin\usr\local\ssl\bin to the system path. You can achieve this through Control Panel -> System -> Change Settings -> Advanced -> Environment Variables -> System Variables.
While this step is recommended for convenience, it is not mandatory.
Establish a centralized working directory by creating the C:\ssl directory for your Windows installation.
In the newly created working directory, generate an openssl.cnf file. Copy and paste the provided text into openssl.cnf, saving it as C:\ssl\openssl.cnf:
# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
RANDFILE = .rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
certs = certs # Directory for issued certificates
crl_dir = crl # Directory for certificate revocation lists (CRL)
database = index.txt # Database index file
new_certs_dir = certs # Default directory for new certificates
certificate = cacert.pem # File path for the CA certificate
serial = serial.txt # File containing the current serial number
crl = crl.pem # File containing the current Certificate Revocation List (CRL)
private_key = private\cakey.pem # File path for the private key
RANDFILE = private\private.rnd # File path for private random number file
x509_extensions = x509v3_extensions # Extensions to add to the certificate
default_days = 365 # Duration for which certificates are valid (in days)
default_crl_days = 30 # Duration before the next Certificate Revocation List (CRL)
default_md = md5 # Message Digest algorithm to use
preserve = no # Maintain passed DN (Distinguished Name) ordering
# Define the policy for matching attributes in the certificate request
# For CA type, the listed attributes must match, and optional
# and supplied fields are exactly that :-)
policy = policy_match
# Define the matching criteria for CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
# Define the policy for 'anything' type
# At this point, list all acceptable 'object' types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
# Certificate Request Configuration
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
# Distinguished Name fields for the certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (city, for example)
organizationName = Organization Name (company, for example)
organizationalUnitName = Organizational Unit Name (section, for example)
commonName = Common Name (domain name of your website, for example)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
# Additional request attributes
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
# Extensions for the certificate request
[ x509v3_extensions ]
# Add more extensions as needed
# under ASN.1, the 0 bit would be encoded as 80
# nsCertType = 0x40
# nsBaseUrl
# nsRevocationUrl
# nsRenewalUrl
# nsCaPolicyUrl
# nsSslServerName
# nsCertSequence
# nsCertExt
# nsDataType
Ensure proper configuration using the openssl.cnf file.
Set the OpenSSL configuration file path. Execute the following command in the command prompt:
set OPENSSL_CONF=C:\ssl\openssl.cnf
Configure Gem Engine to use Luna HSM on Windows
To set up Gem Engine for Luna HSM on Windows, complete one of the following tasks based on your specific needs:
Configure Gem Engine for Luna HSM on Windows
To configure Gem Engine for Luna HSM on Windows:
Open the crystoki.ini file and append the following configuration to the GemEngine section:
[GemEngine]
LibPath = <Luna Client Installation Directory>\cryptoki.dll
LibPath64 = <Luna Client Installation Directory>\cryptoki.dll
EnableDsaGenKeyPair = 1
EnableRsaGenKeyPair = 1
DisablePublicCrypto = 1
EnableRsaSignVerify = 1
EnableLoadPubKey = 1
EnableLoadPrivKey = 1
DisableCheckFinalize = 1
DisableEcdsa = 1
DisableDsa = 0
DisableRand = 0
EngineInit = <slot_id>:10:11
Ensure to replace <Luna Client Installation Directory> with the actual path and <slot_id> with the specific slot ID.
Run the sautil utility to initiate a persistent session on the Luna HSM slot:
C:\OpenSSL\sautil\bin>sautil -v -s <slot_id> -i 10:11 –o –q
Refer to the README-GEM-CONFIG file in <GemEngine_Directory>\docs for additional login methods and session details.
Configure Gem Engine for Luna HA slot or Luna Cloud HSM service on Windows
To configure Gem Engine for Luna HA slot or Luna Cloud HSM service:
Create a text file named passfile in <path_to_my_passfile> and save the partition password in it.
Open the crystoki.ini file and insert the following configuration into the GemEngine section:
[GemEngine]
LibPath = <Path to cryptoki.dll>
LibPath64 = <Path to cryptoki.dll>
EnableDsaGenKeyPair = 1
EnableRsaGenKeyPair = 1
DisablePublicCrypto = 1
EnableRsaSignVerify = 1
EnableLoadPubKey = 1
EnableLoadPrivKey = 1
DisableCheckFinalize = 1
DisableEcdsa = 1
DisableDsa = 0
DisableRand = 0
EngineInit = "myTokenLabel":0:0:passfile=<path_to_my_passfile>\passfile
EnableLoginInit = 1
Replace <Path to cryptoki.dll> and <path_to_my_passfile> with the actual paths and labels relevant to your configuration.
Verify the OpenSSL and Gem Engine integration on Windows
Follow these steps to ensure the successful integration of OpenSSL and Gem Engine:
Generate cryptographic objects for OpenSSL CMS
To prepare cryptographic objects for OpenSSL CMS, follow these steps:
Set the OPESSL_CONF path to specify the configuration file for OpenSSL:
set OPESSL_CONF=<Path to openssl.conf>
Create the necessary directories for OpenSSL operations:
C:\ssl>mkdir keys
C:\ssl>mkdir requests
C:\ssl>mkdir certs
Create the index.txt file, an empty (zero-byte) text file located at C:\ssl\index.txt.
Create the serial.txt file by opening C:\ssl\serial.txt, adding the string 01 on the first line, and then saving the file.
Transfer the libeay32.dll and ssleay32.dll libraries to the folder housing the sautil.exe file. Skip this step if you're utilizing Gem Engine version 1.3 or higher.
Generate a 2048-bit private key on the Luna HSM using Gem Engine for subsequent CA creation. This action generates the RSA 2048-bit key on either the Luna HSM partition or the Luna Cloud HSM service.
C:\ssl>openssl genrsa -engine gem 2048
List the generated key pair using the cmu utility:
C:\ssl> <LunaClient_Installation_Directory>\Cmu.exe list
Example:
C:\ssl> C:\Program Files\SafeNet\LunaClient\Cmu.exe list
Provide the partition password when prompted.
Create a CA certificate based on the generated key:
C:\ssl> openssl req -engine gem -new -x509 -days 365 -key rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e -keyform engine -out certs/ca.cer
Here, rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e refers to the object label for the CA private key on the Luna HSM or Luna Cloud HSM service created in a previous step.
Create a certificate request for the sender. This sender request is used to generate the sender’s certificate signed by the CA.
C:\ssl> openssl req -engine gem -newkey rsa:2048 -out requests/sender.txt
List the generated key pair using the cmu utility:
C:\ssl> <LunaClient_Installation_Directory>\Cmu.exe list
Example:
C:\ssl> C:\Program Files\SafeNet\LunaClient\Cmu.exe list
Provide the partition password when prompted.
Create a certificate request for the receiver. This receiver request is used to generate the receiver’s certificate signed by the CA.
C:\ssl> openssl req -engine gem -newkey rsa:2048 -out requests/receiver.txt
List the generated key pair using the cmu utility:
C:\ssl> <LunaClient_Installation_Directory>\Cmu.exe list
Example:
C:\ssl> C:\Program Files\SafeNet\LunaClient\Cmu.exe list
Provide the partition password when prompted.
Use the CA to sign the certificate request for the sender:
C:\ssl> openssl ca -engine gem -policy policy_anything -cert certs/ca.cer -in requests/sender.txt -keyfile rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e -keyform engine -out certs/sender.cer
Here, rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e represents the object label for the CA private key on the Luna HSM or HSM on Luna Cloud HSM service created in step 6.
Use the CA to sign the certificate request for the receiver:
C:\ssl> openssl ca -engine gem -policy policy_anything -cert certs/ca.cer -in requests/receiver.txt -keyfile rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e -keyform engine -out certs/receiver.cer
Again, rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e denotes the object label for the CA private key on the Luna HSM or HSM on Luna Cloud HSM service created in a previous step.
Utilize OpenSSL CMS cryptographic objects to sign, verify, encrypt, and decrypt a message
To use OpenSSL CMS to securely send and receive messages with Luna HSM:
While OpenSSL CMS relies exclusively on RSA_PKCS, Luna Cloud HSM and Luna HSM firmware versions 7.7.2 onwards do not support RSA_PKCS for encryption/decryption when operating in FIPS mode. If your HSM is configured in FIPS mode, it is recommended to refer to APPENDIX A for guidance on executing the same cryptographic operations under these specific circumstances. This ensures compatibility and adherence to security protocols while utilizing the OpenSSL CMS.
Create a text file named message.txt in the C:\ssl directory.
Sign the message.txt using the sender’s private key.
C:\ssl>openssl cms -engine gem -sign -in message.txt -signer certs\sender.cer -inkey rsa-private-605ddfab1e95bfac36eec44f291647e8a3ff5f64 -keyform engine -out sendmail.msg
Replace rsa-private-605ddfab1e95bfac36eec44f291647e8a3ff5f64 with the object label for the sender’s private key on Luna HSM or Luna Cloud HSM service.
Encrypt sendmail.msg using the receiver’s public key.
C:\ssl>openssl cms -engine gem -encrypt -in sendmail.msg -out sendmail_enc.msg certs\receiver.cer
Decrypt sendmail_enc.msg using the receiver’s private key.
C:\ssl>openssl cms -engine gem -decrypt -in sendmail_enc.msg -inkey rsa-private-a216d3b9276268459598f163ff7163aa30cbd3d0 -keyform engine -out sendmail_dec.msg
Replace rsa-private-a216d3b9276268459598f163ff7163aa30cbd3d0 with the object label for the receiver’s private key on Luna HSM or Luna Cloud HSM service.
Verify the signature of sendmail_dec.msg using the sender’s public key.
C:\ssl>openssl cms -engine gem -verify -in sendmail_dec.msg -CAfile certs\ca.cer -out out.txt certs\sender.cer
Open out.txt and compare its contents with message.txt.
Close the session with sautil, if you are using Luna HSM partition.
C:\OpenSSL\sautil\bin>sautil -c -s <slot_id> -i 10:11 –q
This concludes the integration of OpenSSL with Luna Network HSM or Luna Cloud HSM service using Gem Engine on Windows.
Appendix A
To use OpenSSL CMS to securely send and receive messages with Luna HSM:
While OpenSSL CMS relies exclusively on RSA_PKCS, Luna Cloud HSM and Luna HSM firmware versions 7.7.2 onwards do not support RSA_PKCS for encryption/decryption when operating in FIPS mode. If your HSM is configured in FIPS mode, it is advisable to follow these steps to ensure the execution of the same cryptographic operations under these specific circumstances. This approach guarantees compatibility and adherence to security protocols while utilizing OpenSSL CMS for a secure and seamless cryptographic experience.
Create a text file named message.txt to serve as the content for your secure communication.
The keys for both the sender and receiver are securely stored on the Luna HSM. Utilize the object label of keys on the Luna HSM partition for decrypting and signing messages.
Sign the message.txt file using the sender's private key stored on the Luna HSM.
openssl cms -engine gem -sign -in message.txt -signer /usr/local/ssl/certs/sender/sender.cer -inkey rsa-private-613247c58f0ca0d7f2bb5a14efb2c7d53ed45322 -keyform engine -out sendmail.msg
Here, rsa-private-613247c58f0ca0d7f2bb5a14efb2c7d53ed45322 is the object label for the sender’s private key on the Luna HSM.
Encrypt the signed file sendmail.msg using the receiver's public key:
a. Generate an AES key:
openssl rand -engine gem -hex 32 > encryption_aes.key
b. Encrypt the signed message using the generated AES key:
openssl enc -aes-256-cbc -a -pbkdf2 -k encryption_aes.key -in sendmail.msg -out sendmail.enc
c. Encrypt the AES key using the receiver's public key:
openssl rsautl -encrypt -oaep -engine gem -in encryption_aes.key -out encryption_aes.enc -certin -inkey /usr/local/ssl/certs/receiver/receiver.cer
Transmit both the encrypted message (sendmail.enc) and the encrypted AES key to the receiver for secure communication.
Decrypt the received AES key (encryption_aes.enc) using the private key and then decrypt the encrypted message (sendmail.enc) using the decrypted AES key:
a. Decrypt the AES key using the Receiver’s Private Key:
openssl rsautl -decrypt -oaep -engine gem -in encryption_aes.enc -out encryption_aes.key -inkey rsa-private-489393ff23d93012ab85d859cf3386ef42fcc186 -keyform engine
Here, rsa-private-489393ff23d93012ab85d859cf3386ef42fcc186 is the object label for the receiver’s private key on the Luna HSM.
b. Decrypt the signed message using the decrypted AES key:
openssl enc -aes-256-cbc -d -a -pbkdf2 -k encryption_aes.key -in sendmail.enc -out sendmail.dec
Verify the signature of the decrypted message (sendmail.dec) using the public key associated with the sender’s certificate.
openssl cms -engine gem -verify -in sendmail.dec -CAfile /usr/local/ssl/certs/ca.cer -out sendmail.txt /usr/local/ssl/certs/sender/sender.cer
Open the sendmail.txt file and compare its contents with the original message.txt. Both files should have the same message, confirming the successful completion of all cryptographic operations.
Troubleshooting
If you're facing technical issues, browse through our troubleshooting tips to find the answers you need.
Unable to detect sautil on the system
If sautil is not detected on your system, it could be due to a prior installation of OpenSSL or if you've applied patches to the Luna Engine in the OpenSSL source code.
Solution
If sautil is not available, you can install it by following these steps:
Traverse to the toolkit and untar the luna-samples file.
Under luna-samples, locate sautil. Within sautil, find the sautil.c file.
Open sautil.c, search for #define LUNA_OSSL_ECDSA (1), and disable it.
Save and close the file.
Run the following commands in the sautil directory under luna-samples:
./configure.sh
make
Verify that /usr/local/sautil/bin/sautil is installed on your system.
This should address the issue of sautil not being found on your system. If you encounter any further problems, please refer to the documentation or seek assistance from your system administrator.
Encountering an error during OpenSSL source installation with the gembuild script provided by the OpenSSL toolkit:
make[2]: *** No rule to make target `../../include/openssl/idea.h', needed by `e_idea.o'. Stop.
make[2]: Leaving directory `/home/openssl-1.0.1s/crypto/evp'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory `/home/openssl-1.0.1s/crypto'
make: *** [build_crypto] Error 1
ERROR: There was an issue compiling OpenSSL. See /home/gemengine-1.1/logs/openssl-build.log for details.
Solution
To address this issue, insert make depend into the gembuild script at line 453, immediately after the make clean command. This error stems from a recent modification in OpenSSL, requiring the execution of make depend before make install.
Encountering a segmentation fault (core dumped) error during the OpenSSL sign operation with OpenSSL v1.1.0 and Gem Engine:
openssl req -engine gem -new -x509 -days 365 -key rsa-private-d6b5261ac7f89d6b3b80d4c0f8aea11f185b95a1 -keyform engine -out /usr/local/ssl/certs/ca.cer
engine "gem" set.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:IN
State or Province Name (full name) []:Uttar Pradesh
Locality Name (eg, city) []:Noida
Organization Name (eg, company) []: Thales
Organizational Unit Name (eg, section) []: HSM
Common Name (eg, your website's domain name) []:ca.example.com
Email Address []:
Segmentation fault (core dumped)
Solution
To resolve the error caused by the Gem Engine calling the function luna_fini_p11 while in the execution path of exit(), follow these steps:
Open the e_gem.c file in the vi editor:
vi /home/gemengine-1.3/engine/e_gem.c
At line 934, comment the function as follows:
//luna_fini_p11();
Save and close the file.
Remove gem.so from the OpenSSL engine directory:
rm -rf /usr/local/ssl/lib/engines-1.1/gem.so
Recompile gem.so:
./gembuild engine-build
./gembuild engine-install
Rerun the OpenSSL sign operation command that previously encountered the segmentation fault. The certificate signing process should now complete without displaying any segmentation faults.
openssl req -engine gem -new -x509 -days 365 -key rsa-private-d6b5261ac7f89d6b3b80d4c0f8aea11f185b95a1 -keyform engine -out /usr/local/ssl/certs/ca.cer
engine "gem" set.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:IN
State or Province Name (full name) []:Uttar Pradesh
Locality Name (for example, city) []:Noida
Organization Name (for example, company) []:Thales
Organizational Unit Name (for example, section) []:HSM
Common Name (for example, your websites domain name) []:ca.example.com
Email Address []:
