Signing the CSR

Sign the CSR as part the cluster initialization state.

To sign, you must first create a self-signed signing certificate and use it for signing the CSR. To sign, you must complete the following:
  1. Generate RSA key pair for your HSM cluster resource. This key is called the Partition Owner (PO) key. Ensure you store the key and pass phrase in secure and safe location like KMS Vault. You can use the key to sign the partition CSR you downloaded in the previous step.
    $ openssl genrsa -aes256 -out customerPO.key 
    Generating RSA private key, 2048 bit long modulus
    ........+++
    ....+++
    e is 65537 (0x10001)
    Enter pass phrase for customerPO.key:
    Verifying - Enter pass phrase for customerPO.key:
    
  2. Use the Partition Owner key (customerPO.key) key to generate a partition owner certificate (partitionOwnerCert.pem). The following command generates the certificate valid only for ten years. You can change the expiry date if required but expiry must be at least 5 years. The partition owner certificate must be shared with Dedicated KMS users.
    $ openssl req -new -x509 -days 3650 -key customerPO.key -out partitionOwnerCert.pem
    Enter pass phrase for customerPO.key:
    -----
    Country Name (2 letter code) []:US
    State or Province Name (full name) []:CA
    Locality Name (eg, city) []:SJ
    Organization Name (eg, company) []:Oracle
    Organizational Unit Name (eg, section) []:Sec
    Common Name (eg, fully qualified host name) []:kms
    Email Address []:
    
  3. Sign the CSR (partitionCsr .csr) using the Partition Owner key (customerPO.key) and partitionOwnerCert.pem (created in previous steps) to generate partitionCert.pem.
    $ openssl x509 -req -days 3650 -in partitionCsr.csr -CA partitionOwnerCert.pem -CAkey customerPO.key -CAcreateserial -out partitionCert.pem
    Signature ok
    subject=/C=US/ST=CA/L=Default City/O=Default Company Ltd/CN=user1
    Getting CA Private Key
    Enter pass phrase for customerPO.key:
    $ ls
    customerPO.key  partitionCert.pem  partitionOwnerCert.pem  partitionOwner.srl
    
    
  4. Encode the partitionCert.pem and partitionOwnerCert.pem to base 64 using below commands. (This step is only required for CLI).
  5. Upload the partitionCert.pem and partitionOwnerCert.pem certificates to the HSM cluster.
    openssl base64 -A -in partitionCert.pem
    openssl base64 -A -in partitionOwnerCert.pem