Luna Network Attached HSM v7.x: CSR & Attestation Guide

This guide provides step-by-step instructions for completing your code signing order using the “Install on Existing HSM” method for the Luna Network Attached HSM v7.x.

Please note that this guide assumes you already possess your Luna HSM device and know how to use it. Ownership of this hardware is a prerequisite before proceeding with the code signing order.

If you’re not acquainted with hardware security modules, you can order a pre-configured certificate token (Token + Shipping method) instead.

The following instructions are offered by Sectigo CA. For any further assistance related to third-party hardware, refer to your specific hardware security module (HSM) manufacturer as they can provide dedicated support.

Luna HSM Attestation Package

Luna HSMs generate the public key confirmation package (PKC) for each key pair stored within the HSM. This PKC ensures that the key pair was indeed generated and securely stored in a FIPS-enabled Luna HSM.

Attestation Package Format

The PKCs generated are DER PKCS7 files that contain a certificate chain. The contents of the PKC may vary based on the asymmetric algorithm used to create the key pair.

PKC for RSA Keypair

When generating a PKC for an RSA key pair, there are two possible formats available:

1. TC-Trust Center: This format includes 3 certificates in the chain, but it does not conclude with the expected SafeNet root.
2. Chrysalis-ITS: In this format, the PKC consists of 5 certificates, and the chain culminates with the expected SafeNet root.

For further details, consult Thale’s documentation on the Luna HSM.

How to generate the PKC in Chrysalis-ITS?

To create a PKC in the Chrysalis-ITS format for an RSA key pair, please follow these steps:

1. Access the Luna HSM using the Luna remote client and successfully log in.

2. Generate an RSA key pair on Luna Partition1 using the LunaCM2 utility. Execute the following command:

For Windows:

c:\ cd c:\Program Files\SafeNet\LunaClient
c:\Program Files\SafeNet\LunaClient> lunacm

For Linux:

cd /usr/safenet/lunaclient/bin
./lunacm

Command:

cmu gen -modulusBits=3072 -publicExp=65537 -sign=T -verify=T -label=example-key -extractable=false

Note: The parameters “-extractable=false” and “-sign=T” are mandatory. CSR generation will fail without them as Luna won’t use this key for CSR signing.

3. Obtain the handle numbers for your public and private keys by reviewing the output of the following commands:

cmu list -class public
cmu list -class private

4. Create a Certificate Signing Request (CSR) using this command (replace AAA and BBB with your public and private key handles respectively):

cmu requestcert -publichandle=AAA -privatehandle=BBB -C=CA -L=Ottawa -O=Sectigo -CN=PKC Test Cert -outputFile=rsacsr.pem

5. Generate the PKC by running this command (replace AAA with your public key handle):

cmu getpkc -handle=AAA -outputfile=.p7b -pkctype=2 -verify

6. Save the resulting file (.p7b), which will serve as your attestation package.

7. To inspect the certificate chain, double-click on the saved .p7b file.

Once you’ve successfully generated this PKC file, you can proceed to upload it as the attestation file when completing your Code Signing order form.