Administration GuideSet Up EncryptionDSA Certificates › How to Store DSA Keys in an HSM

Previous Topic: How to Create a DSA Certificate

Next Topic: About the DXcertgen Tool

How to Store DSA Keys in an HSM

You can store private keys in an HSM instead of a file. DXserver accesses the HSM using Public Key Cryptography Standard 11 (PKCS#11).

CA Directory is designed to support any HSM that supports PKCS#11. It has been tested on the Eracom “ProtectServer Orange External”.

To store keys in an HSM that has an onboard CA engine to create private keys and export the signed certificates, use the supporting tools from the HSM manufacturer as follows:

  1. Generate the DSA key pairs in the HSM
  2. Get the HSM to sign a certificate request. The subject in the certificate must be the DSA name.
  3. Export the certificate in PEM format.
  4. Name the PEM file to the DSA name, converted to lowercase, with the added extension .pem
  5. Copy the PEM file to the ssld config directory.
  6. Export the root CA certificate from the HSM and store it in the file trusted.pem.

When an SSL session occurs, DXserver uses the certificate subject and the HSM pin number to access the HSM.

More information:

Integrate an Eracom HSM