Configuring the SSH CA to use HSM keys

Securely storing and managing private keys is a critical component of any certificate management system, including the SSH Protect certificate authority (CA). This mitigates threats both internally and externally, as long as you have a strong strategy with physical and logical controls.

The best protection you can get for your private key storage is a Hardware Security Module, or HSM. When you use SSH Protect's CA in a production environment, we strongly recommend that you use an HSM for key storage. Using an HSM ensures that private keys cannot be used by unauthorized users. HSMs provide a high level of security because they perform cryptographic operations on secure hardware. In the event of a compromised system, damage is mitigated because no private key data was stored on that system.

To use an HSM with SSH Protect's CA, you need the following:

  • Create an HSM connector between Venafi Platform and the HSM.

    The HSM you use needs to have a PKCS#11 library. See our supported HSM list for recommendations

  • Enable Venafi Advanced Key Protect. This is an add-on component to Venafi Platform which has an additional license impact.
  • Configure SSH Certificate issuance templates to use the HSM.

IMPORTANT  Venafi recommends you consult the partner documentation for minimum supported versions.

TIP  The following tables show vendor support for generating private keys. In all cases, this refers to Hardware Central Key Generation. Learn more about Supported methods of key generation.

Supported HSM

 Docs

Encrypt Secrets

HCKG for private keys1

Entrust nShield Connect HSM

 Partner PDF

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported

Thales SafeNet Luna SA (including Azure Dedicated HSM)

 Partner Docs

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported

Vendor Self-Certified HSMs

NOTE  The HSM Partners on the list below have gone through the process of self-certification. This process involves testing the specific PKCS#11 mechanisms that Trust Protection Platform uses when an HSM is used to protect things like private keys and credential objects, and when Advanced Key Protect is enabled.

Self- certification means that the partner has done the testing and proven successful results and integration with Venafi. Successful self-certification results indicate that the integration will work as expected. The HSM vendor may need to be engaged if something is working unexpectedly. Consult the partner's documentation to know what firmware version requirement is.

HSM Vendor

HSM Product

Docs

Encrypt Secrets

HCKG for private keys2

Atos

Trustway Proteccio

 PDF (no public link; contact vendor) Green check mark, indicates feature is supported Green check mark, indicates feature is supported
AWS CloudHSM Venafi Docs Green check mark, indicates feature is supported  

Crypto4A

QxEDGE

  Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Entrust

Entrust nShield as a Service

 Partner Docs Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Fortanix

Fortanix DSM

 Partner Docs Green check mark, indicates feature is supported Green check mark, indicates feature is supported

FutureX

Vectra Plus

 Partner Docs Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Securosys

Primus HSM and Cloud HSM Service

 Partner Docs (Login required) Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Thales TCT

T-Series Luna

 Partner Docs Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Thales

Data Protection on Demand

 Partner Docs Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Utimaco

CryptoServer

 Partner Docs (Login required) Green check mark, indicates feature is supported Green check mark, indicates feature is supported

Create an HSM connector

First things first

You'll need to log on to the Trust Protection Platform server as a Master Admin server to complete these steps.

Step 1: Connect your HSM to the Windows server

To get started, you'll need to establish a connection between the HSM and the Windows server that hosts Trust Protection Platform. Since each HSM is different, you'll need to rely on your HSM vendor's documentation for steps on creating this connection.

NOTE  Trust Protection Platform requires the HSM vendor's PKCS#11 library in order to communicate with the HSM. This library is usually available as an installation option, so make sure to select that option, and the note the name of that library. You'll need it later.

Once this connection is made, Trust Protection Platform can be configured to recognize this connection

Step 2: Create the HSM connector on Trust Protection Platform

Now that the HSM is connected to the Windows server, you can set up an HSM connector in Trust Protection Platform. This section walks you through how to create that connection.

NOTE  These steps show how to create an HSM connector after initial Trust Protection Platform configuration. If you configured Trust Protection Platform to use hardware encryption during initial configuration, then you already have an HSM connector called Default HSM, and you can use that HSM with SSH Protect.

If you want to use Default HSM, go to the Connectors node in Venafi Configuration Console, open the Properties for Default HSM, and check the Allow Key Storage box. Then proceed to Step 3: Enable Venafi Advanced Key Protect.

To create a new connector, follow these steps:

  1. Sign in to the Trust Protection Platform server and open Venafi Configuration Console.
  2. In the navigation panel on the left, click Connectors.
  3. In the Actions panel in the right, click Create HSM Connector. You may be asked to sign in with your local master admin credentials.

  4. Complete the fields in the HSM Connector according to the following guidelines:

    Field

    Description

    Name

    Name of the HSM connector. This name will be how SSH Administrators identify this HSM connector when they are creating environment templates. In this example, we'll name it SSH CA HSM.

    Cryptoki DLL Path

    Trust Protection Platform requires access to the 64-bit version of Cryptoki DLL.

    For SafeNet Luna SA devices, this is the path to the cryptoki.dll file.

    For Entrust nShield Connect HSM devices, this is the path to the cknfast.dll file.

    After selecting the DLL, click Load Slots. Trust Protection Platform will query the HSM and return the available slots.

    IMPORTANT  Trust Protection Platform requires the path to the DLL file to initialize the connection to the HSM device. This path will be used for all Trust Protection Platform servers in the cluster (connected to the same database). All servers in the cluster must have their DLL file in the same location.

    Slot

    Slot ID for the HSM partition where you want Trust Protection Platform to access the encryption keys.

    NOTE  While slot numbers are listed in the drop-down list, Trust Protection Platform does not depend on slot numbers. Trust Protection Platform identifies HSM partitions by label first, and in the case that there are duplicate labels, it falls back to the serial number.

    User Type

    User type required to access the HSM keys on the designated partition (Slot ID).

    The designated User Type must have sufficient permissions to use the keys in the Encryption Driver’s Permitted Keys list.

    Pin

    Pin, if one is required to access the HSM.

    If you use Entrust nShield token protection, leave the field empty.

    If you are setting up AWS CloudHSM, the pin must be in the following format: <CU_user_name>:<password> .

    (button)

    If you want to generate a new AES 256-bit symmetric key on the HSM, click this button. A new key will be generated.

  5. Click Verify. Trust Protection Platform will attempt to connect to the HSM.

    NOTE  This may take a couple of minutes.

  6. If the connection is successful, you'll see a Permitted Keys box and an Allow Key Storage checkbox.

    For the purposes of this procedure, don't select anything in Permitted Keys, but do select the Allow Key Storage checkbox.

    NOTE  The keys shown in the Permitted Keys box are keys available for data encryption purposes. If you want to use an existing key on your HSM, you'll be able to select that key when you create your environment.

    The Allow Key Storage checkbox enables this HSM connector to store keys on the HSM itself.

  7. Click Create.

The HSM connector is now created, and you'll see it listed in under the Encryption Connectors section of the Platform Connectors page.

If you want to create more HSM connectors, just repeat these steps.

Step 3: Enable Venafi Advanced Key Protect

If Venafi Advanced Key Protect is not yet enabled, you'll need to enable it. In the Connectors node of Venafi Configuration Console, click Enable Venafi Advanced Key Protect.

Step 4: Restart Services

Click the Product node in Venafi Configuration Console left navigation pane. In the Windows Services section in the center pane, restart any services that are currently in the Running or Started state. To do this, click the service to highlight it, and then click Restart in the Actions pane in the right.

You'll need to restart the services for each Trust Protection Platform server connected to the database.

Configure template to use HSM Connector

Now that you have a working HSM connector, you an use this option when creating issuance templates. See Working with issuance templates for more information.