Home >

 

Generate a New HSM Server Certificate

Although your HSM appliance came with a server certificate, good security practice dictates that you should generate a new one.

To generate a new server certificate

1.Use sysconf regenCert to generate a new Server Certificate:

The command sysconf regenCert (with no IP address appended) is suitable if your network is using DNS and, during  the execution of the regeneration command, the HSM appliance is able to retrieve correct DNS information about itself. If DNS is not used, or it does not know about the HSM appliance, an invalid certificate will be generated that prevents NTLS running later.

In situations where DNS is not used or contains unreliable information, use this form of the command "sysconf regenCert <ip_of_hsm_appliance>" to generate a usable NTLS certificate.

Sysconf regenCert (without the IP argument) populates the CN field of the server's certificate with the unqualified hostname of the appliance. If the appliance is set up correctly for use in a DNS environment, then it will work. The command does not check.

Sysconf regenCert with the IP argument results in a certificate with the appliance's IP address in the CN field.

Using SafeNet Network HSM with the link configured for IP-only speeds the NTLS client connection lookup, and bypasses such potential issues as transient DNS lookup failures and typing errors.   

lunash:>sysconf regencert

WARNING !!  This command will overwrite the current server certificate and private key.
            All clients will have to add this server again with this new certificate.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'

> proceed
Proceeding...

ERROR. Partition named "Cryptoki User" not found

'sysconf regenCert' successful. NTLS and STC must be (re)started before clients can connect.

Please use the 'ntls show' command to ensure that NTLS is bound to an appropriate network device or IP address/hostname
for the network device(s) NTLS should be active on. Use 'ntls bind' to change this binding if necessary.

Command Result : 0 (Success)

 

2.From the factory, the network trust link service (NTLS) is bound to the loopback device, by default. In order to use the appliance on your network, you must bind the NTLS to one of the two Ethernet ports, ETH0 or ETH1, or to a hostname or IP address. You can use the ntls show command to see current status.

Use ntls bind to bind the service:

            [luna23] lunash:>ntls  bind eth0
            
Success: NTLS binding network device eth0 set.
NOTICE: The NTLS service must be restarted for new settings to take effect.
If you are sure that you wish to restart NTLS, then type 'proceed', otherwise type 'quit'
> proceed
Proceeding...
Restarting NTLS service...
Stopping ntls:                                             [  OK  ]
Starting ntls:                                             [  OK  ]
Command Result : 0 (Success)
[luna23] lunash:>

 

Or, an example using an IP address:

[myluna] lunash:>ntls 
 bind eth0 -bind 192.20.10.96
Success: NTLS binding hostname or IP Address 192.20.10.96 set.
NOTICE: The NTLS service must be restarted for new settings to take effect.
If you are sure that you wish to restart NTLS, then type 'proceed', otherwise type 'quit'
> proceed
Proceeding...
Restarting NTLS service...
Stopping ntls:                                             [  OK  ]
Starting ntls:                                             [  OK  ]
Command Result : 0 (Success)
[myluna] lunash:>ntls show
NTLS bound to network device: eth0  IP Address: "192.20.10.96" (eth0)
Command Result : 0 (Success)

 

Note:  The “Stopping ntls” operation might fail in the above example, because NTLS is not yet running on a new HSM appliance. Just ignore the message. The service starts again, whether the stop was needed or not.

If you have been following the instructions in these pages as part of setting up a new HSM appliance then the next step is to initialize the HSM on your SafeNet Network HSM appliance. Choose one of the following links, according to the type of HSM appliance that you have:

Initializing a Password Authenticated HSM.

Initializing a PED-Authenticated HSM.