This guide includes instructions for completing your code signing order using the Install on Existing HSM method, specifically for the Luna Network Attached HSM v7.x.

This guide also assumes you already own your Luna HSM device and are familiar with the associated software. You must own this hardware prior to placing your code signing order. If you are less familiar with hardware security modules, you may wish to instead order a pre-configured certificate token (Token + Shipping method).

The instructions below are provided by Sectigo CA. Please refer back to the specific manufacturer of your hardware security module (HSM) for further instructions, as we cannot provide support for third-party hardware.

Luna HSM Attestation Package

Luna HSMs generates a public key confirmation package for a given key pair stored in the HSM. This package is used to verify that the key pair was indeed generated and stored in a FIPS-enabled Luna HSM.

Attestation Package Format

The generated public key confirmation (PKC) files are DER PKCS7 files containing a certificate chain. There are some differences in contents based on the asymmetric algorithm used to generate the keypair.

PKC for RSA Keypair

When generating PKC for an RSA key pair there are two possible formats:

  • TC-Trust Center - in this format the PKC contains 3 certificates, and the chain doesn't end with expected SafeNet root.
  • Chrysalis-ITS - in this format the PKC contains 5 certificates, and the chain ends with expected SafeNet root.

Note: Please refer to Luna HSM for more information on Thale’s documentation.

Generate PKC in Chrysalis-ITS

To generate an RSA key pair, CSR, and a PKC in the Chrysalis-ITS format:

1. After successfully logging into Luna HSM using Luna remote client, generate an RSA key pair on a Luna Partition1 using the LunaCM2 utility with the following command:

c:\ cd c:\Program Files\SafeNet\LunaClient
c:\Program Files\SafeNet\LunaClient\> lunacm
> cd /usr/safenet/lunaclient/bin
cmu gen -modulusBits=3072 -publicExp=65537 -sign=T -verify=T -label=example-key -extractable=false

Note: The parameters, -extractable=false and -sign=T are mandatory. Without them, CSR generation will fail because Luna will not use this key for signing the CSR.

2. Get the handle numbers of your public and private keys by looking at the output of the following commands:

cmu list -class public
cmu list -class private

3. Generate a CSR using the following command (replace AAA and BBB with your public and private key handles respectively):

cmu requestcert -publichandle=AAA -privatehandle=BBB -C=CA -L=Ottawa -O=Sectigo -CN=PKC Test Cert -outputFile=rsacsr.pem

4. Generate a PKC by running the following command (replace AAA with your public key handle):

cmu getpkc -handle=AAA -outputfile=<filename>.p7b -pkctype=2 -verify

5. Save the file (<filename>. p7b) to submit as your attestation package.

6. Double-click the <filename>. p7b to view the chain of certificates.

Once this PKC file is generated, you will upload it as the attestation file on your Code Signing order form.