Generating the Luna Network HSM 7 Server Certificate

You must generate a new Luna Network HSM 7 server certificate before placing the HSM in service. Do not use the default certificate generated at the factory.

You can also regenerate the server certificate anytime, once the HSM is in service. If you generate a new certificate, you must update your client NTLS links to use the new certificate.

To generate a new server certificate for the Luna Network HSM 7

Use the following command in LunaSH.

lunash:> sysconf regenCert [-startdate <YYYYMMDD>] [-days <number_of_days>]

If your security policy requires you to change your HSM server certificates periodically, include the -days option to place a time limit on the certificate's validity. By default, Luna Network HSM 7 server certificates are valid for 3653 days (10 years).

If you want the certificate to become valid on a specific date, include the -startdate option. By default, the date is set to 24 hours earlier, to ensure the certificate is valid in every time zone at the time of creation.

For example:

lunash:>sysconf regencert

WARNING !!  This command will overwrite the current server certificate and private key.
            All clients will have to add this server again with this new certificate.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'

> proceed
Proceeding...

'sysconf regenCert' successful. The NTLS, STC and CBS services must be (re)started before clients can connect.

Please use the 'ntls show' command to ensure that NTLS is bound to an appropriate network device or IP address/hostname
for the network device(s) NTLS should be active on. Use 'ntls bind' to change this binding if necessary.

Command Result : 0 (Success)

NOTE   Luna Network HSM 7 version 7.8.4 adds the options to specify -keytype, -keysize, and -curve, in order to direct or constrain the type and size of keys (as applicable) that are generated for the server certificate, and Luna HSM Client 10.7.0 adds the complementing ability to the vtl utility for client-side certificate generation. See Configure NTLS and SSH Key Size and Type.