Oracle Cloud Infrastructure Documentation

Signing the CSR

Sign the CSR as part the cluster initialization state.

To sign, you must first create a self-signed signing certificate and use it for signing the CSR. To sign, you must complete the following:
  1. Generate RSA key pair for your HSM cluster resource. This key is called the Partition Owner (PO) key. Ensure you store the key and pass phrase in secure and safe location like KMS Vault. You can use the key to sign the partition CSR you downloaded in the previous step.
    $ openssl genrsa -aes256 -out customerPO.key 
Generating RSA private key, 2048 bit long modulus
........+++
....+++
e is 65537 (0x10001)
Enter pass phrase for customerPO.key:
Verifying - Enter pass phrase for customerPO.key:
  2. Use the Partition Owner key (customerPO.key) key to generate a partition owner certificate (partitionOwnerCert.pem). The following command generates the certificate valid only for ten years. You can change the expiry date if required but expiry must be at least 5 years. The partition owner certificate must be shared with Dedicated KMS users.
    $ openssl req -new -x509 -days 3650 -key customerPO.key -out partitionOwnerCert.pem
Enter pass phrase for customerPO.key:
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:CA
Locality Name (eg, city) []:SJ
Organization Name (eg, company) []:Oracle
Organizational Unit Name (eg, section) []:Sec
Common Name (eg, fully qualified host name) []:kms
Email Address []:
  3. Sign the CSR (partitionCsr .csr) using the Partition Owner key (customerPO.key) and partitionOwnerCert.pem (created in previous steps) to generate partitionCert.pem.
    $ openssl x509 -req -days 3650 -in partitionCsr.csr -CA partitionOwnerCert.pem -CAkey customerPO.key -CAcreateserial -out partitionCert.pem
Signature ok
subject=/C=US/ST=CA/L=Default City/O=Default Company Ltd/CN=user1
Getting CA Private Key
Enter pass phrase for customerPO.key:
$ ls
customerPO.key  partitionCert.pem  partitionOwnerCert.pem  partitionOwner.srl
  4. Encode the partitionCert.pem and partitionOwnerCert.pem to base 64 using below commands. (This step is only required for CLI).
  5. Upload the partitionCert.pem and partitionOwnerCert.pem certificates to the HSM cluster.
    openssl base64 -A -in partitionCert.pem
openssl base64 -A -in partitionOwnerCert.pem