- 07 Jan 2025
- 1 Minute à lire
- SombreLumière
- PDF
Secure Auditing With Thales ProtectServer
- Mis à jour le 07 Jan 2025
- 1 Minute à lire
- SombreLumière
- PDF
The ctcert tool provided with the Thales ProtectServer software is used to apply the required configuration to the HSM for secure auditing. For more information about ctcert, refer to the ProtectTookit C Administration Guide supplied with the HSM.
To enable secure auditing on the HSM, the master audit key pair must be created. Use ctcert to create the master audit key pair and then export the public certificate from the device.
A master audit key pair requires an attributes file. This file contains details of the issuer, subject, and key usage for this certificate. The minimum key usage required is:
keyusage { digitalSignature, nonRepudiation }
The following is an example of the contents of an attributes file:
label { MasterAuditCertificate } serialnumber { 1234 } issuer { CN=MasterAudit, OU=Identikey, O=VASCO, C=US } subject { CN=MasterAudit, OU=Identikey, O=VASCO, C=US } keyusage { digitalSignature, nonRepudiation, keyCertSign }
After configuring an attributes file, create a master audit key pair certificate for Thales ProtectServer.
To create the master audit keypair certificate
Generate the self signed certificate using the ctcert tool. An example of the ctcert command is:
ctcert c -t ec -Csecp256r1 -d1825d -k -lMasterAuditKey -s0 -xattributes.txt
where:
- ec means create an elliptic curve key.
- -Csecp256r1 means to create the key using this type of elliptic curve
- 1825d creates a certificate which has a validity period of 1825 days from the date this command is run.
- MasterAuditKey will be the label of the private key created on the HSM device.
- -s0 means create this keypair /certificate on the HSM slot 0.
- attributes.txt is the attributes file previously created.
You will be prompted to enter the user PIN for the specified slot (i.e. slot 0 in this case).
Extract the public certificate from the device and save it to a PEM file:
ctcert x -lMasterAuditCertificate -s0 -faudit_cert.pem
where:
- MasterAuditCertificate is the name of the certificate created in the previous step, from the label field in the sample attributes.txt file.
- -s0 specifies the slot where the certificate is located.
- audit_cert.pem is the PEM file that will contain the public certificate.