Enabling remote key generation for Apache certificates

After you enable Venafi Advanced Key Protect enabled, you enable specific installations to use remote key generation. For example, if you want Thales SafeNet Luna SA HSM-based remote key generation to share a certificate across several HTTP Apache servers, you enable each Apache installation.

Configuring remote key generation for Apache

  1. In TLS Protect, locate a certificate with installations of type Apache.

    1. Open the Certificate Inventory.
    2. Use the Installation Type filter to limit installations to Apache.
  2. In the Installations column, click the arrow to see the installations associated with a certificate.
  3. In the Installation Type column, look for installations of type Apache, and then click Installation Type.
  4. Click Edit.

  5. Scroll to the Hardware Security Module Settings section.

    These settings are only available if you have Venafi Advanced Key Protect enabled. For more information, see Enabling Venafi Advanced Key Protect.

  6. In the Private Key Location field, choose hardware remote key generation or software remote key generation. For more information, see Supported methods of key generation.

    • Device. This option is software remote key generation on the external device.

    • Thales SafeNet HSM. This option is hardware remote key generation on the Thales SafeNet Luna SA HSM. You will be required to fill out the following fields:

      • Client Tools Path. Type the directory path where the sautil command from the OpenSSL Toolkit is located on the device.

        The default path is /usr/safenet/lunaclient/bin.

      • Partition Password Credential. Select a password credential that represents the PIN for the HSM partition where the private key is stored.

        If the credential doesn't yet exist, click Create New Credential.

    • Entrust nShield Connect HSM (RSA keys only). This option is hardware remote key generation on the Entrust nShield Entrust nShield Connect HSM. If you choose Entrust nShield Connect HSM, you must fill out the following fields:

      • (Conditional) Common Data Location. Type the directory path where the HSM will store the certificate and private key. The default is /opt/nfast/kmdata/local.

        DID YOU KNOW?  The Common Data Location is the directory where Trust Protection Platform fetches additional Entrust nShield Connect HSM artifacts. If you are using Entrust nShield Connect HSM-based remote key generation in a group, be sure to specify a valid path for Common Data Location. Otherwise, during Stage 801, a '"no such file" error occurs. The default is /opt/nfast/kmdata/local.

      • Client Tools Path. Type the directory path where the generatekey utility and other nShield Core Tools are installed on the device.

        The default path is /opt/nfast/bin.

      • Protection Type. Depending on the option you select, you might also have to specify an Identifier for the protection type selected.

        • Operator Card Set. Enter the OCS Identifier.

          IMPORTANT   Only operator card sets with a quorum of 1 are supported (1-of-N) and the operator card must be inserted into the HSM's card reader slot prior to any interaction by Trust Protection Platform with the device. An operator card may be left permanently inserted into the slot; or you can configure a workflow to pause processing until someone has acknowledged reinsertion of the card.

        • Module. This is the lowest protection level. It requires that your device has been properly configured to use the HSM for key generation.

        • Softcard. This is the next highest level of protection. This is a kind of password that is stored on your HSM. If you selected Softcard as the Protection Type, then in the Softcard Identifier field, enter your softcard's 40-character hash.

          This option requires that the device is properly configured to use the HSM for key generation and that a softcard has been previously generated using the HSM, and that the requester knows the passphrase for that softcard.

          NOTE   If you set Reuse Private Key for Service Generated CSRs to Yes on a certificate's policy, the protection type is ignored because it cannot be changed for an existing private key. If you need to change the protection type, you must set Reuse Private Key for Service Generated CSRs to No.

          For more information, see Setting policy on a folder.

      • Softcard Identifier. Type the 40-character hash that identifies the soft card.

      • Softcard Password Credential. Type a password credential that provides the softcard pass phrase.

      • Private Key Alias. Displays the HSM key alias value for this key using the Private Key Label Apache object attribute (to save the data).

        While this read-only field is visible on every Apache application object, it is only enabled for Entrust nShield's Entrust nShield Connect HSM option.

        The private key alias is created by combining the time-stamp (YYMMDDhhmmss) and file name of the key (without the file extension). Example, 190316142039_MyPrivateKey.

  7. Click Save.
  8. (Optional) If you are using a SafeNet HSM that runs in strict FIPS 140-2 Level 3 mode, configure it with RSAKeyGenMechRemap=1. For more information, see SafeNet documentation.

TIP  You can control the remote generation settings via policy by launching Policy Tree, selecting a policy, and opening Applications Apache > Remote Generation Settings.