Which CloudHSM certificates are used for the client-server end-to-end encrypted connection?
Last updated: 2021-06-23
How does the AWS CloudHSM client end-to-end encryption work, and which HSM certificates are used?
The end-to-end encrypted connection between the CloudHSM client and HSMs within a CloudHSM Cluster is established through two nested TLS connections. For more information, see CloudHSM client end-to-end encryption.
Follow these instructions to set the end-to-end encrypted communication with an HSM.
Note: Be sure to use the specified certificates to avoid a TLS connection failure.
Server TLS Connection
Establish a TLS connection from the client to the server that hosts the HSM hardware. This is a two-way TLS connection between the server and client.
The server sends a self-signed certificate. You can view this self-signed certificate details by running a command similar to the following:
serial=B7FA7A40976CBE82 issuer= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddressemail@example.com subject= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddressfirstname.lastname@example.org $ openssl s_client -connect <HSM_IP>:2223 2> /dev/null | openssl x509 -subject -issuer -serial -noout
The HSM client verifies that this certificate is included in the CA trust path in the /opt/cloudhsm/etc/cert directory. Two certificates are included in the cloudhsm-client package similar to the following:
$ cd /opt/cloudhsm/etc/certs $ ls 21a10654.0 712ff948.0 $ openssl x509 -subject -issuer -serial -noout -in 21a10654.0 subject= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddressemail@example.com issuer= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddressfirstname.lastname@example.org serial=B7FA7A40976CBE82 $ openssl x509 -subject -issuer -serial -noout -in 712ff948.0 subject= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=Cryptography/CN=CloudHSM/emailAddressemail@example.com issuer= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=Cryptography/CN=CloudHSM/emailAddressfirstname.lastname@example.org serial=A7525B285D1C2BB5
The HSM client sends the client certificate to the /opt/cloudhsm/etc/client.crt directory. The client certificate must be either the default certificate included in the CloudHSM client CA certificate on the CloudHSM client in the /opt/cloudhsm/etc/customerCA.crt directory.
The server verifies that this is either the default certificate or a certificate issued by customerCA.crt.
HSM TLS Connection
Establish a second TLS connection from the client to the HSM from within the first TLS connection layer. The server sends the CloudHSM cluster certificate issued during the cluster initialization. Download the certificate with the following command:
aws cloudhsmv2 describe-clusters --query "Clusters[?ClusterId=='<Cluster_ID>'].Certificates.ClusterCertificate" --output text
The client verifies that this is a certificate issued by the customerCA.crt in the /opt/cloudhsm/etc/customerCA.crt directory. Then, the client verifies connection to the HSM in the Cluster.
Note: The server certificate and the CloudHSM cluster certificate can't be changed or renewed.