Sign a functionality module

  • Published on Aug 19, 2025
  • 1 minute(s) read
Prev Next

After ensuring the general preqrequisites are met and preparations to add a Functionality Module (FM) are completed, the FM can be signed.

Prerequisites

The following prerequisites must be met:

  • The FM binary must be built on a Linux client. You can use either a Windows or Linux client to perform the signing operation.

  • The FM Tools option in the Luna HSM Client software must be installed on the client or signing station.

  • The client must have access to an application partition on the Luna Network HSM 7.

Signing the FM

Before the FM can be signed, a keypair and certificate must be created on the application partition. The Crypto Officer can create these.

To sign the FM

  1. Create a keypair and self-signed certificate.

    1. Use the cmu utility provided with the client software. Follow the prompts to create your keys to your specifications:

      cmu generatekeypair

    2. Check the contents of the partition to find the key handles:

      cmu list

    3. Create a self-signed certificate on the partition by specifying a label, the public and private key handles, and any other attributes you wish to assign. You are prompted for required attributes (Common Name, serial number, start/end dates) that you do not specify.

      cmu selfsigncertificate -slot <slot_number> -label <cert_label> -publichandle=<handle> -privatehandle=<handle>

    4. Export the certificate to the client file system, specifying the desired filename with .cert extension:

      cmu export -slot <slot_number> -label <cert_label> -outputfile=<filename.cert>

  2. Use this certificate to sign your FM using the mkfm utility provided with the client software. You need to specify the following:

    1. the unsigned FM binary

    2. the desired FM filepath/name with the .fm extension

    3. the slot number or name of the partition where the keypair is stored, and

    4. the private key label.

    If you are specifying a slot number, include -k SLOTID=<#> instead of the partition name.

    If you are using a Cryptoki signing station other than a Luna 7.x application partition, include the -c option. You are prompted for the partition/token credential. By default, the Crypto Officer role is used; to use the Crypto User role instead, include the -u option.

    mkfm -f <filepath/name>.bin -o <filepath/name>.fm -k <token_or_partition_name/<private_key_label> [-c] [-u]

Your signed FM should now be located in the specified directory.