000020560 - How to find which key on the HSM corresponds to a OneStep SSL certificate

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020560
Applies ToKeon Certificate Authority 6.5
Microsoft Windows 2000 Advanced Server SP2
nCipher Hardware Security Module
IssueHow to find which key on the HSM corresponds to a OneStep SSL certificate
Using OneStep setupSSL to create keys on HSM
ResolutionIf you are using OneStep setup (e.g. setupSSL) to generate the keys, you will end up with a cert file and a key file. The key file contains a PEM encoded ASN.1 construct that contains information about the HSM stored private key. It will look something like the following:

 -----BEGIN RSA NFAST PRIVATE KEY-----
 MDUWDnJzYS1rZW9uLWNhLTY1FhAxMDMzNDMzODEwOTgxNDk1FghzcGFyY1NldAEB
 /wIBAQIBAg==
 -----END RSA NFAST PRIVATE KEY-----

You can use any ASN.1/BER viewing tool to look at the contents. One freely available tool that will do this is dumpasn1. Running dumpasn1 with the key file as input (you can leave it in its PEM encoded form) will produce output something like this:

  0 30   53: SEQUENCE {
  2 16   14:   IA5String 'rsa-keon-ca-65'
 18 16   16:   IA5String '1033433810981495'
 36 16    8:   IA5String 'sparcSet'
 46 01    1:   BOOLEAN TRUE
 49 02    1:   INTEGER 1
 52 02    1:   INTEGER 2
           :   }

The three string values are the application name, the key id, and the card set name. You should be able to match the key id with one listed by KeySafe to find the key using that tool.
Legacy Article IDa17436

Attachments

    Outcomes