To import the key safely inside the HSM, another RSA key pair has to be used for encryption during the transfer. If such a key pair is not available, a new one can be generated using p11tool2 from the product bundle:
|
|
For more details about p11tool2, see [CS_PKCS11T2].
The private key needs to be in a specific format before it can be imported: pkcs8 DER format, protected with a passphrase encoded with AES 128 ECB cipher. To transform it into that format, you can perform this command:
|
|
Having an RSA key pair inside the HSM and the private key in the correct format, you can import by performing the following command:
|
|
key-file is the private key used by apache server for the https cryptographic operations. It can be find in the apache configuration file as the value for setting: SSLCertificateKeyFile. For Ubuntu this is in the file /etc/apache2/sites-available/default-ssl.conf. For Red Hat this is in the file /etc/httpd/conf.d/ssl.conf.
key-label and key-id are the label and the ID for the private key after it was moved inside the HSM. kek-label and kek-id are the label and the ID of the key used for encryption of the private key during the transfer.
The ID is provided in hexadecimal for p11tool2 and it is provided in ASCII code for the import command. So, in the previous examples (0x313233) represents the ASCII code sequence: 123.
Another method of importing the private key (less secure) is described in section "Importing the Private Key Into the HSM".