Creating an NTLS Connection Using Certificates Signed by a Trusted Certificate Authority

A trusted Certificate Authority (CA) can provide authentication for your NTLS connections. This can be a commercial third-party CA or your organization's own signing station. This type of connection is created in the following stages:

1.Authenticating the Appliance Using a Trusted CA

2.Authenticating a Client Using a Trusted CA

3.Registering a Client to the Appliance

NOTE   This feature requires minimum Luna HSM Client 10.1.0 and Luna Appliance Software 7.7.0.

See also Using a Combination of Self-Signed and CA-Signed Certificates.

Authenticating the Appliance Using a Trusted CA

Use the following procedure to authenticate the appliance by having its certificate signed by your trusted CA.

Prerequisites

>You must have admin-level access to LunaSH on the appliance.

To authenticate the appliance using a certificate signed by a trusted CA

1.Log in to LunaSH as admin (see Logging In to LunaSH).

2.Regenerate the Luna Network HSM 7 server certificate, specifying the -csr option to create a Certificate Signing Request (CSR)—an unsigned certificate to be signed by a Certificate Authority (CA). You have the option to specify other information about the certificate.

CAUTION!   Regenerating the server certificate will break any existing NTLS/STC connections, when a subsequent restart of the service is performed.

lunash:> sysconf regenCert -csr

3.Transfer the CSR (serverCSR.pem) from the appliance to a workstation using scp or pscp.

pscp <user>@<host/IP>:serverCSR.pem <target_filename>

NOTE   When using pscp or scp over an IPv6 network, enclose addresses in square brackets.

You must accept the SSH certificate the first time you open an SCP/PSCP or SSH link. You can check the SSH fingerprint in LunaSH to confirm the secure connection.

lunash:> sysconf fingerprint ssh

4.Submit the serverCSR.pem certificate file to be signed by the Certificate Authority, as directed by the documentation of the particular Certificate Authority. You require the following artifacts from the CA:

Signed base64(PEM)-encoded client certificate in x509 format

The CA's base64 certificate in x509 format, including the root certificate

5.Upon receiving the signed server certificate, transfer the signed server certificate and the CA certificate chain to the admin user on the appliance using scp or pscp. The files arriving at the appliance are automatically placed in the appropriate directory. Do not specify a target directory.

6.Log in to LunaSH as admin and register the CA certificate chain in the appliance trust store. Specify each certificate's filename, minus the .pem extension. Repeat this step until the entire certificate chain is registered.

lunash:> client addCA <filename>

lunash:>client addCA CAroot

Attempting to install CA cert CAroot:

Command Result : 0 (Success)

7.[Optional] Display a list of CA certificates registered on the appliance.

lunash:> client listCAs

8.Install the signed appliance server certificate. This replaces the appliance's server.pem with the signed certificate.

lunash:> sysconf installCert <filename>

9.Restart the NTLS, STC and CBS services.

lunash:> service restart <service>

Authenticating a Client Using a Trusted CA

Use the following procedure to authenticate the client by having its certificate signed by your trusted CA.

Prerequisites

>You must have Administrator privileges on the client workstation.

To authenticate a client using a certificate signed by a trusted CA

1.On the client workstation, open a command prompt and navigate to the Luna HSM Client directory.

NOTE   On Windows, ensure that you open a command prompt with Administrator privileges.

Windows: C:\Program Files\SafeNet\LunaClient

Linux/AIX: /usr/safenet/lunaclient/bin

Solaris: /opt/safenet/lunaclient/bin

2.Create a Certificate Signing Request (CSR) for the client—an unsigned certificate to be signed by a third-party Certificate Authority (CA). You must specify the client hostname or IP. You have the option to specify other information about the certificate.

CAUTION!   Regenerating the server certificate will break any existing NTLS/STC connections, when a subsequent restart of the service is performed.

> vtl createCSR -n <client_hostname/IP>

The certificate and private key are saved to the <client_install_dir>/cert/client directory and are named <client_hostname/IP>CSR.pem and <client_hostname/IP>Key.pem, respectively. The command output displays the filepath.

3.Submit the CSR file to be signed by your preferred or in-house Certificate Authority. You require the following artifacts from the CA:

Signed base64(PEM)-encoded client certificate in x509 format

The CA's base64(PEM)-encoded certificate chain in x509 format, including the root certificate

4.Register the CA certificate chain in the client's trust store. Specify the full path and filename for each certificate. Repeat this step until the entire certificate chain is registered.

> vtl addCA -n <cert_name> -c <cert_filepath/name>

5.Copy the signed client certificate to the following location in the Luna HSM Client directory:

Windows: C:\Program Files\SafeNet\LunaClient\cert\client\

Linux/AIX: /usr/safenet/lunaclient/cert/client/

Solaris: /opt/safenet/lunaclient/cert/client/

6.Add the IP/hostname of any Luna Network HSM 7 appliance where the client will access application partitions. The CA chain used to sign the certificate must be added to the trust store of the appliance, as described in Authenticating the Appliance Using a Trusted CA.

> vtl addServerNoCert -n <IP/hostname>

7.[Optional] Edit crystoki.ini/Chrystoki.conf to enable server IP/hostname validation on the client. Do this only if the appliance server certificate was created with Subject Alternate Names (SANs).

[Misc]
ValidateHost=1

Registering a Client to the Appliance

Finally, you must transfer the signed client certificate to the appliance and register it.

Prerequisites

>The CA chain used to sign the certificate must be added to both the client's and the appliance's trust store.

>You must have admin-level access to LunaSH on the appliance.

NOTE   The following procedure assumes that you are configuring an NTLS client-partition connection for the first time. If an NTLS client-partition connection has been established and the client certificate is being periodically replaced, for example in the case of client certificate renewals or deployment on multiple virtual machines, the new client certificate must be transferred to and registered with the appliance only if it was authenticated by the CA under a new host name or IP; that is, the appliance will continue trusting the CA-signed client certificate based on the registered certificate chain and maintain the NTLS client-partition connection if the new client certificate has been authenticated by the CA under a previously used client host name or IP. In such cases, where client certificates must be periodically replaced while maintaining an NTLS client-partition connection, Thales recommends that you replace the client certificate in the client and leave the expired client certificate in the appliance to avoid incurring application downtime.

To register a client to the appliance

1.Transfer the signed client certificate to the appliance using pscp or scp.

2.Log in to LunaSH as admin (see Logging In to LunaSH).

3.Register the client's certificate on the appliance. Specify the client's IP address or hostname, depending on which was used to create the certificate.

lunash:> client register -client <clientname> {-hostname <hostname> | -ip <IPaddress>}

You can now assign partitions to the client (see Assigning or Revoking NTLS Client Access to a Partition).

Using a Combination of Self-Signed and CA-Signed Certificates

It is possible to use a combination of self-signed and CA-signed certificates; meaning a CA-signed certificate on the Luna Network HSM 7 appliance and a self-signed certificate on the client, or vice-versa. To use this configuration, modify the instructions above as follows:

To use a self-signed client certificate and a CA-signed appliance certificate

>Transfer the client's self-signed certificate (<IP/hostname>.pem) to the appliance and register it.

lunash:> client register -client <clientname> {-hostname <hostname> | -ip <IPaddress>}

>Transfer the CA-signed appliance certificates to the appliance.

>Transfer the root CA to the appliance.

>Transfer the root CA to the client.

To use a self-signed appliance certificate and a CA-signed client certificate

>Transfer the appliance's self-signed certificate (server.pem) to the client and register it.

> vtl addServer -n <IP/hostname> -c <cert_filename>

>Transfer CA-signed client certificates to the client.

>Transfer the root CA to the client.

>Transfer the root CA to the appliance.

Updating or rotating or refreshing a certificate from a registered client

If the client certificate is expiring, or your security policy requires you to rotate certificates on a schedule, you might prefer to perform the action without closing currently working connections. With Luna Network HSM 7 version 7.8.3 and newer, the client update command allows you to update the certificate such that it takes effect for all new connections, but current open connections remain open with the pre-update certificate.

>The CA issuing certificate for clients should be registered on the Luna Network HSM 7 appliance and

>the CA issuing certificate for appliance should be registered on client.