1. Overview This HowTo describes how to configure Rsignd service (PKI service) of WebADM on a PKCS11 cryptographic hardware security module (HSM). The objective is to involve the HSM for all CA signing operations and to increase the protection of the private key. This configuration is probably the most secure setup for a PKI service because the logical and physical access to the HSM is limitted to one or few persons in a company.
Documents in HSM
Setup of MIRkey / eHSM devices to use with WebADM 1. Introduction This guide will lead you through the setup of one or preferably several (for load-balancing and fail-over purposes) eHSM / MIRkey to use hardware cryptography within WebADM, adding an extra layer of security to protect WebADM sensitive data. MIRKey HSMs required at least WebADM 2.0.17. 2. Download and install the ellipticSecure Device Manager Although it is possible to initialize and set up the eHSM or MIRkey using standard command-line pkcs11 tools, we recommend to use the ellipticSecure Device Manager GUI that allows the update of the firmware and to set up a backup domain allowing backups from one device to be restored to a different device, which is particularly useful for load-balancing across several HSMs and for disaster recovery purposes.
Setup of SmartCard-HSM devices to use with WebADM 1. Introduction This guide will lead you through the setup of one or preferably several (for load-balancing and fail-over purposes) SmartCard-HSM to use hardware cryptography within WebADM, adding an extra layer of security to protect WebADM sensitives information. All steps of the initialization, configuration and replication of the devices can be performed directly with standard command line tools directly on the server where WebADM is installed, except for the generation of an AES secret key that will be, as we write these lines, only exportable to another device if it has been generated properly through the Smart Card Shell GUI.
1. Product Documentation This document describes how to configure correctly the Yubico YubiHSM and enable it through the WebADM setting, in order to provide both hardware level encryption and random seed generation (the strongest Enterprise security available) in your RCDevs product. WebADM only needs a subset of commands to work with the YubiHSM and the reader should notice that this document is not a guide describing all possible modes of operation provided by the device itself.