000020933 - Can the KCA OneStep SSL certificate private key be kept on a HSM?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020933
Applies ToKeon Certificate Authority OneStep 6.5
Sun Solaris 2.8
nCipher Hardware Security Module
IssueCan the KCA OneStep SSL certificate private key be kept on a HSM?
ResolutionKCA OneStep does have the capability to have the OneStep SSL key used to access the KCA backend on the HSM. The cardset would need to be 1 of N for this functionality, as OneStep does not have ability for multiple card log on. As for logging onto the cardset, there is the attribute KCSOSD_SSLKEY_PASSPHRASE for the passphrase in the onestep.conf file that should be set. This should be the same mechanism as for encrypted software keys.

There are two ways to utilize the KCSOSD_SSLKEY_PASSPHRASE variable. You could program the passphrase into the plugin or insert the passphrase in HTML as an hidden field. The programmatic approach is more secure and is recommended for production systems. The HTML approach is good for demo purpose.

As an example, programmatically:

int KCSOSExchange(void *context, KCSOSNVInterface *pInterface) {

// ...

pInterface->InsertEntry(pInterface->NVlist, KCSOSD_SSLKEY_PASSPHRASE, "1234", 5);

// ...

}

HTML

<INPUT TYPE="HIDDEN" NAME="KCSOSD_SSLKEY_PASSPHRASE" value="1234">
Legacy Article IDa19551

Attachments

    Outcomes