Key Management Reading Time: 13 minutes

Understanding and Generating Certificate Signing Requests (CSRs) using Luna Cloud HSM – A Comprehensive Guide

Certificate Signing Requests (CSRs) are pivotal in web security and encryption. They are integral to the process of obtaining a Secure Socket Layer (SSL) or Transport Layer Security (TLS) certificate from a Certificate Authority (CA). This blog will guide you through understanding and generating a CSR, highlighting its importance in maintaining web security.

What is a CSR?

A block of encrypted text known as a Certificate Signing Request is sent when requesting an SSL Certificate from a Certificate Authority. It is typically generated on the server where the certificate will be installed. It contains information in the certificate, such as the organization name, common name (Domain name), place, and nation. Furthermore, it includes the public key that will be used to sign the certificate.

Why are CSRs important?

CSRs act as a conduit between the entity requesting the SSL certificate and the CA issuing it. By generating a CSR, you are creating two essential items. The first is the public key, which is included in the CSR. The second is the private key, generated simultaneously as the CSR and remains on your server. The private key must be kept secret, as it allows the server to authenticate and decode information once the SSL certificate is operational.

Overview of Luna Cloud HSM by Thales: Features and Benefits

Luna Cloud HSM is a Hardware Security Module (HSM) provided by Thales. The “Cloud HSM” part signifies that it’s a cloud-based offering. You can access it as a service over the internet instead of physically installing and managing an HSM in your data center. The Luna Cloud HSM is part of the CipherTrust Cloud Key Manager service provided by Thales.

An HSM is a dedicated hardware device with specialized cryptographic processors designed to manage digital keys and perform cryptographic operations. They provide a secure environment where you can generate, manage, and use encryption keys, keeping them isolated from other system parts to enhance security. HSMs are typically used to secure an organization’s most sensitive digital assets.

The Luna Cloud HSM brings the best of the cloud to the HSM world – scalability, accessibility, and lower upfront costs. You get the security of a traditional HSM with the added benefits of a cloud service.

The main features of Luna Cloud HSM are:

  1. Robust Security

    Luna Cloud HSM leverages Thales’s strong encryption and key management capabilities, delivering one of the highest cloud data protection levels. The HSMs are tamper-resistant and provide a secure environment for cryptographic operations.

  2. Scalability

    As your cryptographic needs grow, Luna Cloud HSM can easily scale with them. You don’t have to worry about buying and installing additional HSM hardware.

  3. High Availability

    Luna Cloud HSM provides high availability and automatic failover capabilities to ensure business continuity. You can deploy HSMs across multiple regions to mitigate local outages.

  4. Compliance

    Luna Cloud HSM helps you meet regulatory standards related to cryptographic operations and key management, including PCI-DSS, GDPR, and HIPAA. The service comes with comprehensive auditing and logging capabilities.

  5. Interoperability

    Luna Cloud HSM supports a wide range of cryptographic APIs, libraries, and integrations, such as PKCS#11, Java (JCE), Microsoft CryptoAPI, and Microsoft CNG, making it compatible with a broad range of applications and services.

Also, check the list of Supported Client Platforms for Luna Cloud HSM here.

How to Generate a CSR?

Generating a CSR can differ depending on the software you are using, but the core steps remain the same. Here is a general outline of the process:

  1. Preparation

    You must have all the relevant details before generating your CSR. This includes your domain name, organization name, locality (city), state or province name, and country code.

  2. Generate a Key Pair

    The first step in generating a CSR is creating a public-private key pair. Remember, your private key should remain securely within the server or hardware module it generates.

  3. Generate the CSR

    Use a CSR generation tool that aligns with your server software. This tool will ask you for the details prepared in Step 1 and for the private key generated in Step 2. The tool then generates an encoded file with the .csr or .req extension.

During the CSR generation process, you will be prompted to enter your details (common name, organization, locality, etc).

Generating CSR from Luna HSM

We will be generating CSR on Thales DPoD. So, first, we need to do the Application Owner Configuration, which means Adding and Configuring a client.

The client installation uses a .zip (Windows) or .tar (Linux) to deliver the client materials required for configuring your system’s connection to the Luna Cloud HSM Service. The client .zip includes a pre-configured crystoki-template.ini file and a client archive file containing a library and binary files.

Installing the Service Client

  • Access the Service Page and click the service or the partition name you want to generate a client.

    Thales Service Page
  • Click New Service Client – the Create Service Client window displays.

    Thales New Service Client
  • In the Create Service Client window, enter a Client Name (e.g., Pega-Macro) and select Create Service Client.

    Thales Service Client Detail

Configuring the Installed Service Client

  • A new client (in this case, setup-PKI-Luna.zip) generates and is provided for downloading and installing on your client machine.
  • The client is a zip file containing system information needed to connect your machine to an HSM partition. See the section Client Contents for client content details.
  • Transfer the client to your machine. You can transfer the client through SCP, PSCP, WinSCP, FTPS, or other security tools.
  • Using the Windows GUI or an unzip tool, unzip the file – setup-PKI-Luna.zip.
  • Decompress the cvclient-min.zip.
  • Extract the cvclient-min.zip within the directory you created in the previous step. This location is required for the setenv command in step 7. Do not extract to a new cvclient-min.zip directory.
  • Set the environment variable. Open an Administrator Command Prompt – right-click Command Prompt and select Run as Administrator. Execute the following in the Administrator Command Prompt:

    Configuring Installed Service Client in CMD

Configuring the SafeNet Key Storage Provider (KSP)

  • System requires access to the SafeNet Key Storage Provider (KSP). Copy the SafeNetKSP.dll file from your downloaded Luna Cloud HSM Service Client to C:\\Windows\System32.

    Note: Failure to copy the SafeNetKSP.dll file will result in no access to the SafeNet Key Storage Providers during the integration. For example, if configuring Microsoft Active Directory Certificate Services, the SafeNet Key Storage Providers will not be available options when setting up the Cryptography for CA.

  • Run KspConfig.exe
  • Navigate to the KSP installation directory.
  • Double-click Register or View Security Library.
  • Click Browse. Select the cryptoki.dll file from the Luna Cloud HSM Service Client.

    Click Register.

    Select Cryptoki File
  • On successful registration, a Success! Message displays. Click OK.

    Successful Registration Of KSP
  • Double-click Register HSM Slots.
  • Register the HSM for the Administrator user. For that, Open the Register For User drop-down menu and select Administrator; open the Domain drop-down menu and select your domain. Open the Available Slots drop-down menu, select the service label, Enter the Slot Password, and Click Register Slot.

    Registering HSM for Administrator User
  • On successful registration, a Success! Message displays. Click OK.

    HSM Successful Admin Registration
  • Register the HSM for the System user. Open the Register For User drop-down menu and select SYSTEM, the Domain drop-down menu, and NT AUTHORITY. Open the Available Slots drop-down menu, select the service label, Enter the Slot Password, and Click Register Slot.

    Register HSM for System User
  • On successful registration, a Success! Message displays. Click OK.

    Successful HSM Registration of System User

Generating the CSR in the Service Client

  • Create a file named request.inf and fill it with the following details to generate a request for an SSL certificate connected to an RSA key. The contents are:

    [Version]
    Signature = "$Windows NT$"
    [NewRequest]
    Subject = "C=US, S=Dallas, L=Texas, O=Encryption Consulting LLC, OU=Dev, [email protected], CN=ECIssued"
    HashAlgorithm = SHA256
    KeyAlgorithm = RSA
    KeyLength =2048
    ProviderName = "Safenet Key Storage Provider"
    KeyUsage = 0xf0
    MachineKeySet =True
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.

    File to Generate Request for SSL Certificate

    Note: The Subject’s Common Name (CN) is arbitrarily chosen for this request and is subject to change.

    The parameters are:

    • Signature

      “$Windows NT$” specifies that the INF file is intended for use with Windows NT and later versions of Windows.

    • Subject

      • C – defines the two-letter country name for the certificate request’s distinguished subject name (DN). This parameter should be present in the subject DN.
      • S – defines the state name for the certificate request’s distinguished subject name (DN). This parameter should be present in the subject DN.
      • L – defines the locality (typically the city) for the distinguished subject name of the certificate request. This parameter may be present in the Subject DN.
      • O – defines the organization name for the certificate request’s distinguished subject name (DN). This parameter should be present in the subject DN.
      • OU – defines the organization unit name for the certificate request’s distinguished subject name (DN). This parameter may be present in the subject DN.
      • e – is the official or contact e-mail address of the certificate authority.
      • CN – defines the common name for the certificate request’s distinguished subject name (DN). This parameter should be present in the subject DN.
    • HashingAlgorithm

      SHA256 sets the hashing algorithm to SHA256, a standard and safe choice.

    • KeyAlgorithm

      RSA sets the key algorithm to RSA, a widely used public key algorithm.

    • KeyLength

      2048 sets the length of the key to 2048 bits. This is the current industry standard for RSA keys.

    • ProviderName

      “SafeNet Key Storage Provider” indicates the Cryptographic Service Provider (CSP) to be used. The CSP is a software library that implements cryptographic functions. In this case, the SafeNet Key Storage Provider is used.

    • KeyUsage

      0xf0 specifies the purpose of the key in the certificate. The value 0xf0 in hexadecimal corresponds to the binary value 11110000, which represents Digital Signature (0x80), Key Encipherment (0x20), Data Encipherment (0x10), and Key Agreement (0x08) key usages.

    • MachineKeySet

      True indicates the private key is stored in the local computer’s certificate store, not the current user’s.

    • EnhancedKeyUsageExtension

      OID=1.3.6.1.5.5.7.3.1 is an Object Identifier (OID) that specifies a usage for the certificate. The OID 1.3.6.1.5.5.7.3.1 represents “Server Authentication,” meaning that the certificate is intended for authenticating servers in SSL/TLS communications.

  • Open a new command prompt window as an administrator. You can do this by searching for “cmd” in the Start Menu, right-clicking on Command Prompt, and selecting “Run as administrator.”
  • Navigate to the path where requested.inf is and pressing Enter.
  • Now, generate the certificate request with the following command:

    certreq -new request.inf request.req

    Generate Certificate Request

    This command will create a new Certificate Signing Request (CSR) file named `request.req` based on the configuration in your `request.inf` file. You can send this CSR file to a Certificate Authority (CA) for your SSL certificate.

Sign the CSR using Microsoft CA

There are two different ways of Signing a CSR:

Accepting Certificate Request

  • Transfer the CSR file to Issuing CA and execute the command –

    certreq -submit -attrib "CertificateTemplate:<Template Name>" "C:\MacroSign.csr"

    Here, Template Name = “EncryptionConsuCodeSigning”

    Certificate Authority List
  • After Selecting the Certificate Authority from the Certificate Authority List, save the certificate with an appropriate name. (E.g.,= ECMacro, the extension should be either .crt or .cer)

    Save Certificate
  • On successful execution, you will find the Certificate inside the Issued Certificates in Certification Authority

    Issued Certificates
  • Check whether “Code Signing” is inside the attribute Enhanced Key Usage of the newly generated certificate.

    Check Code Signing is inside the Attribute Enhanced Key Usage

Via Web Enrolment

  • The available Templates in the Certificate Authority

    Available Templates In Certificate Authority
  • Now, perform the Web Enrollment after selecting a template – “Code Signing.” (in our case – https://ca02.encon.com/certsrv/)

    Perform Web Enrollment
  • After selecting Request a Certificate, this screen will come up. Select Advanced Certificate Request. (In our case – https://ca02.encon.com/certsrv/certrqus.asp)

    Request Certificate
  • Paste the contents of the CSR inside Saved Request and select Code Signing in the Certificate template. After that, click on Submit.

    Fill Parameters in Certificate Template
  • This will prompt for two options – Download Certificate and Download Certificate chain. Choose the latter one and download the chain to your local system.

    Download Certificate Chain
  • This is what the Certificate Chain will look like.

    Certificate Chain

Adding the Private key to the Certificate

  • Accepting and installing the certificate to be available within the Windows environment.

    Accepting and Installing the Certificate
  • Next, add the certificate to the “Personal” Certificates of Certificates – Local Computer using the command –

    certutil -store MY “<thumbprint of the certificate>”

    Add certificate to Personal Certificates

Troubleshooting

  • To check the list of CA templates present inside the Issuing CA –

    certutil -CATemplates

    To check the list of CA Templates
  • If the private key is not attached to the Certificate, try this “repairstore” command

    Attach Private Key to Certificate
  • CSP/KSP Registration is failing in Windows.

    CSP/KSP Registrations Can Fail if Windows Update is missing as it includes a step that verifies the DLLs are signed by Thales’ certificate that chains back to the DigiCert root of trust G4 (in compliance with industry security standards).

    This step can only succeed if your Windows operating system has the required certificate. If your Windows OS is updated, you should already have that certificate.

    If your Luna HSM Client host is connected to the internet, use the following commands to update the certificate manually:

    certutil -urlcache -f http://cacerts.digicert.com/DigiCertTrustedRootG4.crt DigiCertTrustedRootG4.crt
    certutil -addstore -f root DigiCertTrustedRootG4.crt

    To manually update a non-connected host

    • Download the DigiCert Trusted Root G4 (http://cacerts.digicert.com/DigiCertTrustedRootG4.crt DigiCertTrustedRootG4.crt) to a separate internet-connected computer.
    • Transport the certificate, using your approved means, to the Luna Client host into a <downloaded cert path> location of your choice
    • Add the certificate to the certificate store using the command:

      certutil -addstore -f root <downloaded cert path>

  • If the Subject from the certificate request is not shown on the certificate, try the following steps.

    • Open the Certificate Templates Console: On the AD CS server, open the Certificate Templates Console by running `certtmpl.msc` from the Run dialog (Win + R).
    • Duplicate an Existing Template: It’s generally a good idea to duplicate an existing template rather than modify one. Find a template that’s similar to what you want, right-click it, and select `Duplicate Template.`
    • Configure the Template: In the properties dialog for the new template, you can configure various settings. To set the Key Usage and Enhanced Key Usage fields:

      Key Usage: Go to the `Extensions` tab, select `Key Usage` in the list, and click `Edit.` Here you can select the key usages you want to include, such as `Digital Signature,` `Key Encipherment,` etc.

      Enhanced Key Usage: Still on the `Extensions` tab, select `Application Policies` and click `Edit.` Here you can add the enhanced key usages you want to include, such as `Code Signing,` `Server Authentication,` etc.

    • Save the Template: Once you’ve configured the template to your liking, give it a name and save it.
    • Issue the Template: The new template is now available but needs to be issued before it can be used. In the Certification Authority console (`certsrv.msc`), right-click `Certificate Templates,` select `New,` then `Certificate Template to Issue,` and select your new template.

    Requiring a certificate using this template should include the Key Usage and Enhanced Key Usage fields as you’ve configured them.

Conclusion

Once produced, the CSR may be used to seek an SSL certificate from a Certificate Authority. The CSR’s data will be used by the CA to build the certificate, assuring the security of your website and the transmission of information in a secure manner.

Although the procedures and protocols may appear difficult, using an SSL certificate to secure your website is essential for gaining visitors’ trust and safeguarding critical information. A CSR is essential to ensure that the correct data is included in your SSL certificate.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

About the Author

Subhayu Roy's profile picture

Subhayu is a cybersecurity consultant specializing in Public Key Infrastructure (PKI) and Hardware Security Modules (HSMs) and is the lead developer for CodeSign Secure. At CodeSign Secure, his enthusiasm for coding meets his commitment to cybersecurity, with a fresh perspective and a drive to learn and grow in every project and work as a consultant for high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo