How to Generate CSR and Key Attestation Using Luna Network HSM?

Create CSR and Key Attestation in Luna HSM

Are you a software developer, a security professional, or someone involved in code-signing certificates? If yes, then you need to stay up-to-date with industry standards.

Also, know the best practices by familiarizing yourself with the CA/B Forum Baseline Requirements v2.8 for Code Signing Certificates. The increasingly interconnected world demands integrity and authenticity of software and applications is paramount.

Code signing certificates are digital signatures, giving users confidence that the code they are downloading or installing comes from a trusted source and has not been tampered with.

In this article, we will explore the CA/B Forum Baseline Requirements version 2.8 for Code Signing Certificates, a set of industry standards and guidelines that aim to enhance the security and trustworthiness of code signing processes.

Lets’ begin!

CSR and Key Attestation Creation for the Luna Network

In this section, we will explore the process of creating a Certificate Signing Request (CSR) and key attestation for the Luna Network Attached HSM 7.x.

We’ll discuss the attestation package format and provide instructions on generating a Public Key Confirmation (PKC) file in an RSA key pair context. Let’s break down the key points:

Luna Network Attached HSM 7.x:

This section focuses on Luna HSMs and their ability to generate a Public Key Confirmation package (PKC) as a key attestation. The PKC serves to verify that a specific key pair was generated and securely stored within the Luna HSM.

Attestation Package Format:

PKC files generated by Luna HSMs are in DER-encoded PKCS7 format. These files contain the key attestation information. Encoding the PKC file in base64 format is essential for compatibility with the key attestation service.

PKC for RSA Keypair:

When generating a PKC for an RSA key pair, two formats are commonly mentioned:

  • TC-Trust Center: This format includes three certificates in the PKC, and the certificate chain does not end with a root certificate.
  • Chrysalis-ITS: This format comprises five certificates in the PKC structure, and the certificate chain concludes with a root certificate.

It is recommended to select the Chrysalis-ITS format because vendor documentation is available, which can be accessed for further guidance.

These guidelines outline the process for creating a CSR and key attestation using the Luna Network Attached HSM 7.x. They explain the attestation package format and provide options for generating PKC files within an RSA key pair context.

Process using Chrysalis-ITS format

To generate a CSR and PKC in the Chrysalis-ITS format, follow the steps below:

Step 1: Launch the Luna remote client and log in to the Luna HSM.

Step 2: Use the LunaCM2 utility to generate an RSA key pair on a Luna Partition1. Execute the appropriate command based on your operating system:

For Windows:

c:\ cd c:\Program Files\SafeNet\LunaClient
c:\Program Files\SafeNet\LunaClient\> lunacm

For Linux:

>cd /usr/safenet/lunaclient/bin
./lunacm

Generate the RSA key pair with the following command, replacing “LABEL” with your desired key pair identifier:

cmu gen -modulusBits=3072 -publicExp=65537 -sign=T -verify=T -label=LABEL -extractable=false

QUICK NOTE: The parameters “-extractable=false” and “-sign=T” are mandatory for successful CSR generation, as Luna will not utilize this key to sign the CSR. The RSA key size must be at least 3072 bits for code signing certificates.

Step 3: Retrieve the handle numbers of the public and private keys by executing the following commands:

cmu list -class public -label=LABEL
cmu list -class private -label=LABEL

Step 4: Generate a CSR using the following command, replacing “MNO” and “BCD” with the respective public and private key handles:

cmu requestcert -publichandle=MNO -privatehandle=BCD -C=CA -L=Ottawa -O=Sectigo -CN="PKC Test Cert" -outputFile=rsacsr.pem

Step 5: Generate a PKC by running the following command, replacing “MNO” with your public key handle and “attestation.p7b” with the desired file name:

cmu getpkc -handle=MNO -outputfile=attestation.p7b -pkctype=2 -verify

Step 6: Encode the attestation PKC file to base64 format. Use the following commands:

For Windows:

certutil -encode attestation.p7b attestation.b64
findstr /v CERTIFICATE attestation.b64 > attestation.b64

For Linux:

base64 attestation.p7b > attestation.b64

Step 7: Submit the generated CSR and base64-encoded attestation to the Sectigo key attestation service or or reseller-website enrollment form for verification of the HSM’s authenticity in issuing code signing certificates.

By following these steps, you can generate a CSR and PKC in Chrysalis-ITS format for use in the Sectigo key attestation service or reseller-website enrollment form.

Wrapping UP:

Discover how these requirements can help you enhance the security of your applications and build trust with your users. Whether you are a beginner or an expert, explore this document’s comprehensive guidelines and recommendations to use Luna HSM for Code Signing Certificates.

Recommended: Key Generation and CSR Attestation using YubiKey

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.