Breadcrumbs

Generating Tenant Key on Windows

  1. Use the following command to generate an RSA tenant key:

›_ Console

> p11tool2 slot=<slot_no.> loginuser=<user_password> PubKeyAttr=CKA_LABEL="<tenant_public_key>",CKA_MODULUS_BITS=<keysize> PrvKeyAttr=CKA_LABEL="<tenant_private_key>",CKA_EXTRACTABLE=CK_TRUE GenerateKeyPair=RSA
tmpvsx2br9g.jpg

List newly generated RSA keys

<keysize> is the RSA key size in bits. Azure supports 2048, 3072 and 4096. Use the following command to generate an EC tenant key:

›_ Console

> p11tool2 slot=<slot_no.> loginuser=<user_password> PubKeyAttr=CKA_LABEL="<tenant_public_key>",CKA_EC_PARAMS=oid:<curvename> PrvKeyAttr=CKA_LABEL="<tenant_private_key>",CKA_EXTRACTABLE=CK_TRUE GenerateKeyPair=ECC

<curvename> is the name of the EC curve. For Azure, this needs to be NIST-P256, NIST- P384 or NIST-P521.

tmp3howajjf.jpg
tmp_dgz6_bb.jpg

List newly generated ECC keys

The "oid:<curvename>" syntax is supported starting with SecurityServer 4.40.

The attribute CKA_EXTRACTABLE must be set to CK_TRUE

  1. Navigate to the folder where you have the byoktool saved. Execute the following command to wrap the tenant key by using the KeyVaultKey, downloaded from the Azure Key Vault.

›_ Console

> byoktool Dev=<IP_of_UTIMACO_HSM> LogonPass=<user>,<user_password> Label="<tenant_private_key>" CSP=azure PublicKey="<keyvaultkey>.publickey.pem" KID="<kid>"

WrappedKey="<wrappedkey>"

For RSA Key

tmp4vf436f9.jpg

Wrap the tenant key for RSA

For ECC Key

tmpbqnv517m.jpg

Wrap the tenant key for ECC

Command Parameters:

  • <user> is "USR_0020" for PKCS#11 slot 20. Any other user/password combination with access to the tenant_private_key is possible as well.

  • <keyvaultkey> is the filename of the public key downloaded from Azure key vault.

  • <kid> is the key identifier of the KEK in Key Vault (e.g., https://KeyVaultUtimacoHSM.vault.azure.net/keys/mykek/eba63d27es214e028839s 77fc905621).

  • <wrappedkey> is the filename of the wrapped tenant key.