Configure NTLS and SSH Key Size and Type
Key size
Create NTLS keys from the Luna Network HSM 7 appliance with varying sizes using the sysconf regenCert command.
Configure SSH keys (key size and curve size) using the sysconf ssh regenKeyPair command.
The above key size options are available from Luna Network HSM 7 appliance software version 7.8.4 onward.
On the client side, configure NTLS key size with the vtl createCert andvtl createCSR commands with Luna HSM Client version 10.7.0 and newer.
Key type
Configure SSH Ed25519 keys and ECC curves NIST P-256, P-384, and P-521 on the Luna Network HSM 7 appliance using the sysconf regenCert command.
The sysconf sysconf ssh regenKeyPair command already had the ability to generate keypairs for each type.
On the client side, configure the Ed25519 keys and ECC curves NIST P-256, P-384, and P-521 for NTLS with the vtl createCert andvtl createCSR commands with Luna HSM Client version 10.7.0 and newer.
Other affected commands
From Luna Network HSM 7 appliance version 7.8.4 onward, the outputs of the commands sysconf tls ciphers show, sysconf fingerprint ssh, and ntls certificate show can show the additional sizes and types mentioned above.
On the Luna HSM Client 10.7.0 onward, the vtl examineCert command output accommodates the above additions.
Limitations
The following limitations apply:
>Valid RSA key sizes are 2048 (default), 3072, and 4096.
>The keysize argument applies only to RSA key types.
>The length of ECC and Ed25519 keys is inherent and is not adjustable, attempting to set a size yields an error.
>ECC curve type options are NIST P-256, P-384, and P-521, as well as the secp256k1 OpenSSL curve (no NIST alias).
>The default curve is secp384r1 when using sysconf regenCert
>The default curve size is 256 when using sysconf ssh regenKeyPair (behaviour when restarting sshd)
>The ECC curve secp256k1 is supported only for TLS 1.2, and is not available for TLS 1.3. Additionally, ECDSA ciphers must be configured (using sysconf tls ciphers set) in order to connect to NTLS with this curve type.
>Ed25519 is not supported on AIX clients through the vtl createCert andvtl createCSR commands due to it supporting an older version of OpenSSL that does not support this keytype. OpenSSL 1.1.1+ is required for clients to use this key type through the vtl createCert/createCSR commands.
>RSA keypairs are not permitted for SSH connections, so the sysconf ssh regenKeyPair command does not get the -keysize option.
Ciphers
With Luna Network HSM 7 appliance version 7.8.4, onward, the ECDSA ciphers supported include:
>ECDHE-ECDSA-AES256-GCM-SHA384,
>ECDHE-ECDSA-AES128-GCM-SHA256,
>ECDHE-ECDSA-AES256-SHA384,
>ECDHE-ECDSA-AES128-SHA256.
See also Generating the Luna Network HSM 7 Server Certificate
Examples
Creating a new server cert on Luna Network HSM 7 with ECC default curve
To create a new server cert with the default ECC curve
1.On the LNH generate/regenerate the server certificate, specifying the ECC keytype, but not specifying a particular curve.
[lnh93] lunash:>sysconf regenCert -keytype ecc ... [lnh93] lunash:>service restart ntls ... [lnh93] lunash:>service restart stc ... Command Result : 0 (Success) [lnh93] lunash:>ntls certificate show NTLS Server Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: ecdsa-with-SHA256 Issuer: C = CA, ST = Ontario, O = Chrysalis-ITS, CN = " lnh93" Validity Not Before: Sep 5 18:13:40 2023 GMT Not After : Sep 5 18:13:40 2033 GMT Subject: C = CA, ST = Ontario, O = Chrysalis-ITS, CN = " lnh93" Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:a7:38:4e:2a:a8:b9:32:41:f9:e2:77:6e:aa:f7: 2c:d3:27:52:0d:26:81:d5:fe:58:17:82:06:54:de: c2:1f:94:78:95:59:f8:a4:64:7d:ab:cc:16:f5:09: de:b4:c5:4e:32:50:19:aa:7f:b3:23:fe:9c:f3:31: 97:bc:ff:cb:a3:5a:cf:52:6f:00:95:23:b9:bd:b3: 04:8f:57:c4:74:0c:80:24:4c:18:42:74:7e:eb:82: bd:96:cd:8c:75:10:ca ASN1 OID: secp384r1 NIST CURVE: P-384 Signature Algorithm: ecdsa-with-SHA256 30:64:02:30:07:b7:39:39:ab:53:93:fa:e8:0a:71:58:9a:ba: f9:dd:d4:5f:4f:f0:37:6e:4d:5f:0e:61:87:1e:8e:02:7c:98: 94:85:f6:d8:88:bd:21:1c:df:32:83:91:f0:96:9a:e1:02:30: 3a:ac:4f:6b:8b:25:5f:dc:f3:e7:d6:e6:39:1b:d8:14:03:cd: cb:c5:0a:29:0f:dc:aa:66:dc:d8:4a:15:cd:3b:08:7a:1c:29: ad:6f:eb:89:75:97:7c:e8:ba:7b:2c:14 Command Result : 0 (Success) [lnh93] lunash:>
2.On the client, configure NTLS
[root@aa1239 bin]# ./lunacm lunacm (64-bit) v10.7.0. Copyright (c) 2023 Thales Group. All rights reserved. Available HSMs: Current Slot Id: None lunacm:>clientconfig deploy -server 192.168.141.93 -client 192.168.140.45 -partition Par1 -password 1q@W3e$R -f -v ... lunacm:>ccfg ls Server ID Server Channel HTL Required ___________________________________________________________________ 0 192.168.141.93 NTLS no Command Result : No Error
3.For the partition on the Luna Network HSM 7, run any command to confirm the connection with the new certificate.
Creating an Ed25519 client certificate with vtl utility
To create an Ed25519 client certificate
Assume that you wish to connect to a Luna Network HSM 7 192.168.141.93, that already has a server certificate of type Ed25519.
1.Acquire the server.pem from the Luna Network HSM 7, and add it to your client's server list.
[myclient]# scp -O admin@192.168.141.93:server.pem 93.pem admin@192.168.141.93's password: server.pem 100% 1387 139.7KB/s 00:00 [myclient]# ./vtl a -n 192.168.141.93 -c 93.pem vtl (64-bit) v10.7.0-235. Copyright (c) 2023 Thales Group. All rights reserved. New server 192.168.141.93 successfully added to server list. [myclient]# ./vtl l vtl (64-bit) v10.7.0-235. Copyright (c) 2023 Thales Group. All rights reserved. Server: 192.168.141.93
2.Create the Ed25519 client certificate, and optionally verify it
[myclient]# ./vtl createcert -n 192.168.140.45 -keytype ed25519 vtl (64-bit) v10.7.0-235. Copyright (c) 2023 Thales Group. All rights reserved. Private Key created and written to: /usr/safenet/lunaclient/cert/client/192.168.140.45Key.pem Certificate created and written to: /usr/safenet/lunaclient/cert/client/192.168.140.45.pem
[myclient]# cd ../cert/client/
[myclient]# openssl x509 -in 192.168.140.45.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: ED25519
Issuer: C = CA, ST = Ontario, L = Ottawa, O = My company, CN = 192.168.140.45
Validity
Not Before: Nov 13 22:07:00 2023 GMT
Not After : Nov 11 22:07:00 2033 GMT
Subject: C = CA, ST = Ontario, L = Ottawa, O = My company, CN = 192.168.140.45
Subject Public Key Info:
Public Key Algorithm: ED25519
ED25519 Public-Key:
pub:
4a:e0:5e:ac:48:12:b7:46:8e:82:e2:ae:f5:a4:b4:
89:09:ce:dd:3c:28:61:f7:43:67:36:ad:b0:6f:c4:
f7:3a
Signature Algorithm: ED25519
Signature Value:
69:71:66:db:56:40:a9:d3:5c:99:50:d1:25:b7:de:0f:f4:63:
70:63:4a:3e:12:f6:89:99:e4:a6:b9:5d:32:2a:5c:f1:0d:85:
4d:3e:00:13:4f:e7:c9:db:16:37:84:04:c5:f0:06:17:82:54:
b9:31:e2:d0:5d:79:e3:7c:33:0a
[myclient]#
3.Send the new client cert to the Luna Network HSM 7.
[myclient]# scp -O ../cert/client/192.168.140.45.pem admin@192.168.141.93: admin@192.168.141.93's password: 192.168.140.45.pem 100% 546 625.4KB/s 00:00 [myclient]#
4.At the Luna Network HSM 7, register the new client and assign it to the partition.
[lnh93] lunash:>client register -c 192.168.140.45 -h 192.168.140.45 'client register' successful. Command Result : 0 (Success) [lnh93] lunash:>client assignPartition -c 192.168.140.45 -par Pri 'client assignPartition' successful. Command Result : 0 (Success) [lnh93] lunash:>
5.At the client, confirm that the Luna Network HSM 7 partition appears in the slot list.
[myclient]# ./lunacm lunacm (64-bit) v10.7.0-235. Copyright (c) 2023 Thales Group. All rights reserved. Available HSMs: Slot Id -> 0 Label -> Serial Number -> 1382217483709 Model -> LunaSA 7.8.4 Firmware Version -> 7.8.4 Bootloader Version -> 1.1.5 Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> FM Ready Current Slot Id: 0 lunacm:>ccfg ls Server ID Server Channel HTL Required ___________________________________________________________________ 0 192.168.141.93 NTLS no Command Result : No Error