Can the KCA OneStep SSL certificate private key be kept on a HSM?
3 years ago
Originally Published: 2003-11-24
Article Number
000041378
Applies To
Keon Certificate Authority OneStep 6.5
Sun Solaris 2.8
nCipher Hardware Security Module
Issue
Can the KCA OneStep SSL certificate private key be kept on a HSM?
Resolution
KCA OneStep does have the capability to have the OneStep SSL key used to access the KCA backend on the HSM. The cardset would need to be 1 of N for this functionality, as OneStep does not have ability for multiple card log on. As for logging onto the cardset, there is the attribute KCSOSD_SSLKEY_PASSPHRASE for the passphrase in the onestep.conf file that should be set. This should be the same mechanism as for encrypted software keys.

There are two ways to utilize the KCSOSD_SSLKEY_PASSPHRASE variable. You could program the passphrase into the plugin or insert the passphrase in HTML as an hidden field. The programmatic approach is more secure and is recommended for production systems. The HTML approach is good for demo purpose.

As an example, programmatically:

int KCSOSExchange(void *context, KCSOSNVInterface *pInterface) {

// ...

pInterface->InsertEntry(pInterface->NVlist, KCSOSD_SSLKEY_PASSPHRASE, "1234", 5);

// ...

}

HTML

<INPUT TYPE="HIDDEN" NAME="KCSOSD_SSLKEY_PASSPHRASE" value="1234">
Don't see what you're looking for?