使用 Thales Luna HSM 中存在的证书建立 SSL/TLS 连接

Question

I am trying to setup a Netty Server with HTTPS enabled. In order to establish the SSL/TLS connections, I need to fetch the certificiate from Saf.net Luna Network HSM and pass that Cert to Netty's SSL Context.

I have generated a keypair in the Luna HSM and then generate a self sign certificate using the generated keypair. So now my self sign cert is present inside the HSM and I need to use that cert to establish TLS connections by initializing the SSL Context. According to the usgae of HSM we should not extract our cert and private key details outside of the HSM box.

Then how can i establish a TLS connection by using the certificate present inside Luna Network HSM.

I have tried to fetch the certiciate from HSM box by using the alias name of the certificate and later use that to initialize the SSL context but no luck.

My expectation is to establish TLS connections by using the generated certificate directly from HSM to initilaize SSL Context without extartcting any information oustide of the HSM box.

Thanks

Answer 1

So HSM works on 2way handshake to establish mutual trust, So HSM over HTTPS needs the following configuration:

From the client side: The client will have a self-signed certificate of the HSM host stored inside its own trust store.

On top of the client will have its own key pair of let's say RSA 2048 stored in keystore

From the HSM side: HSM will have a self-signed certificate received from the client (public key of rsa keypair) inside its trust store.

in a similar way its own key-store pair to communicate to client

End result: Each party has trust between them (as they have their certificates loaded inside truststore) and a key pair to share messages in an encrypted format.

Article to get you started: https://dzone.com/articles/implementing-one-way-and-two-way-ssl-mutual-authen