Which CloudHSM certificates are used for the client-server end-to-end encrypted connection?

Last updated: 2021-06-23

How does the AWS CloudHSM client end-to-end encryption work, and which HSM certificates are used?

Short description

The end-to-end encrypted connection between the CloudHSM client and HSMs within a CloudHSM Cluster is established through two nested TLS connections. For more information, see CloudHSM client end-to-end encryption.


Follow these instructions to set the end-to-end encrypted communication with an HSM.

Note: Be sure to use the specified certificates to avoid a TLS connection failure.

Server TLS Connection

Establish a TLS connection from the client to the server that hosts the HSM hardware. This is a two-way TLS connection between the server and client.

The server sends a self-signed certificate. You can view this self-signed certificate details by running a command similar to the following:

issuer= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com
subject= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com
$ openssl s_client -connect <HSM_IP>:2223 2> /dev/null | openssl x509 -subject -issuer -serial -noout

The HSM client verifies that this certificate is included in the CA trust path in the /opt/cloudhsm/etc/cert directory. Two certificates are included in the cloudhsm-client package similar to the following:

$ cd /opt/cloudhsm/etc/certs

$ ls
21a10654.0  712ff948.0

$ openssl x509 -subject -issuer -serial -noout -in 21a10654.0
subject= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com
issuer= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com

$ openssl x509 -subject -issuer -serial -noout -in 712ff948.0
subject= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com
issuer= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com

The HSM client sends the client certificate to the /opt/cloudhsm/etc/client.crt directory. The client certificate must be either the default certificate included in the CloudHSM client CA certificate on the CloudHSM client in the /opt/cloudhsm/etc/customerCA.crt directory.

The server verifies that this is either the default certificate or a certificate issued by customerCA.crt.

HSM TLS Connection

Establish a second TLS connection from the client to the HSM from within the first TLS connection layer. The server sends the CloudHSM cluster certificate issued during the cluster initialization. Download the certificate with the following command:

aws cloudhsmv2 describe-clusters --query "Clusters[?ClusterId=='<Cluster_ID>'].Certificates.ClusterCertificate" --output text

The client verifies that this is a certificate issued by the customerCA.crt in the /opt/cloudhsm/etc/customerCA.crt directory. Then, the client verifies connection to the HSM in the Cluster.

Note: The server certificate and the CloudHSM cluster certificate can't be changed or renewed.

Did this article help?

Do you need billing or technical support?