Creating an NTLS Connection Using Certificates Signed by a Trusted Certificate Authority
A trusted Certificate Authority (CA) can provide authentication for your NTLS connections. This can be a commercial third-party CA or your organization's own signing station. This type of connection is created in the following stages:
1.Authenticating the Appliance Using a Trusted CA
2.Authenticating a Client Using a Trusted CA
3.Registering a Client to the Appliance
NOTE This feature requires minimum Luna HSM Client version 10.1.0 and appliance software version 7.7.0. See Version Dependencies by Feature for more information.
See also Using a Combination of Self-Signed and CA-Signed Certificates.
Authenticating the Appliance Using a Trusted CA
Use the following procedure to authenticate the appliance by having its certificate signed by your trusted CA.
Prerequisites
>You must have admin-level access to LunaSH on the appliance.
To authenticate the appliance using a certificate signed by a trusted CA
1.Log in to LunaSH as admin (see Logging In to LunaSH).
2.Regenerate the Luna Network HSM server certificate, specifying the -csr option to create a Certificate Signing Request (CSR)—an unsigned certificate to be signed by a Certificate Authority (CA). You have the option to specify other information about the certificate.
CAUTION! Regenerating the server certificate will break any existing NTLS/STC connections.
lunash:> sysconf regencert -csr
3.Transfer the CSR (serverCSR.pem) from the appliance to a workstation using scp or pscp.
pscp <user>@<host/IP>:server.pem <target_filename>
NOTE When using pscp or scp over an IPv6 network, enclose addresses in square brackets.
You must accept the SSH certificate the first time you open an SCP/PSCP or SSH link. You can check the SSH fingerprint in LunaSH to confirm the secure connection.
lunash:> sysconf fingerprint ssh
4.Submit the serverCSR.pem certificate file to be signed by the Certificate Authority, as directed by the documentation of the particular Certificate Authority. You require the following artifacts from the CA:
•Signed base64(PEM)-encoded client certificate in x509 format
•The CA's base64 certificate in x509 format, including the root certificate
5.Upon receiving the signed server certificate, transfer the signed server certificate and the CA certificate chain to the admin user on the appliance using scp or pscp. The files arriving at the appliance are automatically placed in the appropriate directory. Do not specify a target directory.
6.Log in to LunaSH as admin and register the CA certificate chain in the appliance trust store. Specify each certificate's filename, minus the .pem extension. Repeat this step until the entire certificate chain is registered.
lunash:> client addCA <filename>
lunash:>client addCA CAroot Attempting to install CA cert CAroot: Command Result : 0 (Success)
7.[Optional] Display a list of CA certificates registered on the appliance.
lunash:> client listCAs
8.Install the signed appliance server certificate. This replaces the appliance's server.pem with the signed certificate.
lunash:> sysconf installcert <filename>
9.Restart the NTLS, STC and CBS services.
lunash:> service restart <service>
Authenticating a Client Using a Trusted CA
Use the following procedure to authenticate the client by having its certificate signed by your trusted CA.
Prerequisites
>You must have Administrator privileges on the client workstation.
To authenticate a client using a certificate signed by a trusted CA
1.On the client workstation, open a command prompt and navigate to the Luna HSM Client directory.
NOTE On Windows, ensure that you open a command prompt with Administrator privileges.
•Windows: C:\Program Files\SafeNet\LunaClient
•Linux/AIX: /usr/safenet/lunaclient/bin
•Solaris: /opt/safenet/lunaclient/bin
2.Create a Certificate Signing Request (CSR) for the client—an unsigned certificate to be signed by a third-party Certificate Authority (CA). You must specify the client hostname or IP. You have the option to specify other information about the certificate.
CAUTION! Regenerating the client certificate will break any existing NTLS/STC connections.
> vtl createCSR -n <client_hostname/IP>
The certificate and private key are saved to the <client_install_dir>/cert/client directory and are named <client_hostname/IP>CSR.pem and <client_hostname/IP>Key.pem, respectively. The command output displays the filepath.
3.Submit the CSR file to be signed by your preferred or in-house Certificate Authority. You require the following artifacts from the CA:
•Signed base64(PEM)-encoded client certificate in x509 format
•The CA's base64(PEM)-encoded certificate chain in x509 format, including the root certificate
4.Register the CA certificate chain in the client's trust store. Specify the full path and filename for each certificate. Repeat this step until the entire certificate chain is registered.
> vtl addCA -n <cert_name> -c <cert_filepath/name>
5.Copy the signed client certificate to the following location in the Luna HSM Client directory:
•Windows: C:\Program Files\SafeNet\LunaClient\cert\client\
•Linux/AIX: /usr/safenet/lunaclient/cert/client/
•Solaris: /opt/safenet/lunaclient/cert/client/
6.Add the IP/hostname of any Luna Network HSM appliance where the client will access application partitions. The CA chain used to sign the certificate must be added to the trust store of the appliance, as described in Authenticating the Appliance Using a Trusted CA.
> vtl addServerNoCert -n <IP/hostname>
7.[Optional] Edit crystoki.ini/Chrystoki.conf to enable server IP/hostname validation on the client. Do this only if the appliance server certificate was created with Subject Alternate Names (SANs).
[Misc] ValidateHost=1
Registering a Client to the Appliance
Finally, you must transfer the signed client certificate to the appliance and register it.
Prerequisites
>The CA chain used to sign the certificate must be added to both the client's and the appliance's trust store.
>You must have admin-level access to LunaSH on the appliance.
To register a client to the appliance
1.Transfer the signed client certificate to the appliance using pscp or scp.
2.Log in to LunaSH as admin (see Logging In to LunaSH).
3.Register the client's certificate on the appliance. Specify the client's IP address or hostname, depending on which was used to create the certificate.
lunash:> client register -client <clientname> {-hostname <hostname> | -ip <IPaddress>}
You can now assign partitions to the client (see Assigning or Revoking NTLS Client Access to a Partition).
Using a Combination of Self-Signed and CA-Signed Certificates
It is possible to use a combination of self-signed and CA-signed certificates; meaning a CA-signed certificate on the Luna Network HSM appliance and a self-signed certificate on the client, or vice-versa. To use this configuration, modify the instructions above as follows:
To use a self-signed client certificate and a CA-signed appliance certificate
>The entire CA certificate chain must still be registered on both client and appliance.
>Transfer the client's self-signed certificate (<IP/hostname>.pem) to the appliance and register it.
lunash:> client register -client <clientname> {-hostname <hostname> | -ip <IPaddress>}
To use a self-signed appliance certificate and a CA-signed client certificate
>The entire CA certificate chain must still be registered on both client and appliance.
>Transfer the appliance's self-signed certificate (server.pem) to the client and register it.
> vtl addServer -n <IP/hostname> -c <cert_filename>