Generate Digital Signatory Keys on an HSM

When activating a PIV Personal Identity Verification (technical standard of "HSPD-12"), PIV-I Personal Identity Verification - Interoperable or CIV Commercial Identity Verification card, ActivID CMS uses digital signatory parameters to sign PIV objects (user-related data required by PIV such as CHUID Card Holder Unique Identifier or fingerprints that are securely stored on the card). Cryptographic keys used in the digital signature of PIV objects can be generated and stored on an HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system.. To generate the signatory keys on an HSM, a utility is available in the ActivID CMS distribution, in the Tools\PIV\DigitalSignatoryKeyOnHSM directory.

The Key Generation utility requires the Oracle JRE. This tool also requires that you define the sunPKCS11 provider on top of the provider’s list in the %JRE home%\lib\security\java.security configuration file.

  1. Highlight the following lines in the security.provider section of the java.security file:

    Copy 
    security.provider.1=sun.security.provider.Sun
    security.provider.2=sun.security.rsa.SunRsaSign
    security.provider.3=com.sun.net.ssl.internal.ssl.Provider
    security.provider.4=com.sun.crypto.provider.SunJCE
    security.provider.5=sun.security.jgss.SunProvider
    security.provider.6=com.sun.security.sasl.Provider

  1. Edit them to look like the following (assuming that that "C:/tools/DigitalSignatoryKeyOnHSM" is the path to this utility):

    Copy 
    security.provider.1=sun.security.pkcs11.SunPKCS11 C:/tools/DigitalSignatoryKeyOnHSM/pkcs11.cfg 
    security.provider.2=sun.security.provider.Sun
    security.provider.3=sun.security.rsa.SunRsaSign
    security.provider.4=com.sun.net.ssl.internal.ssl.Provider
    security.provider.5=com.sun.crypto.provider.SunJCE
    security.provider.6=sun.security.jgss.SunProvider
    security.provider.7=com.sun.security.sasl.Provider

  1. Update the pkcs11.cfg file found in the Tools/PIV/DigitalSignatoryKeyOnHSM directory.

    The entry library must be updated to link to the pkcs#11 HSM library.

    The entry slot can be updated to specify the HSM slot to access (required if multiple slots are available).

To generate a private signing key on a HSM, you will use the kt_genkey utility found in the Tools/PIV/DigitalSignatoryKeyOnHSM directory. Use it as follows:

Copy 
kt_genkey [(INPUT) HSM PIN] [(INPUT) key alias] [(INPUT) key size 1024/2048] [(INPUT)SubjectDN for CSR generation]

For example:

Copy 
kt_genkey 1234 MyKEY 2048 "CN=PIV Signer, O=NIST, C=US"

To generate a certificate request associated with the signing key generated on the HSM, use the kt_gencsr utility found in the Tools/PIV/DigitalSignatoryKeyOnHSM directory. Use it as follows:

Copy 
kt_gencsr [(INPUT) HSM PIN] [(INPUT) key alias] [(OUPUT) csr file name]

For example:

Copy 
kt_gencsr 1234 MyKEY mycsr.txt

Submit the certificate request to your CA and save the certificate chain in a file in base-64 format, with a .p7b extension. Use a template that has the id-PIV-content-signing OID (2.16.840.1.101.3.6.7).

To import the certificate generated by the CA and associate it with the signing private key, use the kt_importcert utility found in the Tools/PIV/DigitalSignatoryKeyOnHSM directory. Use it as follows:

Copy 
kt_importcert [(INPUT) HSM PIN] [(INPUT) key alias] [(INPUT) file with certificate chain]

For example:

Copy 
kt_importcert 1234 MyKEY MyCert.p7b

To enable signature with keys in the HSM, set the Signature mode of PIV objects to true:

Copy 
sign.hsm =true
Note: HSM PIN sharing is required in order for the Digital Signatory Key to be accessible by ActivID CMS.
By default, HSM PIN sharing is enabled in the ActivID CMS securedata.properties configuration file located in the %PROGRAMDATA%\HID Global\Credential Management System\Local Files\services\repositories directory:
Copy
SecureData.HSMPin.alias = enroll.PIV.HSMPin,PeopleManagerHSMPin,HSMPin,enroll.CIV.HSMPin

Configure the digital signature key alias in the PIVEnrollment.properties file - entry sign.alias.

Restart the ActivID CMS server to complete this process.