Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Preparing an Eracom HSM for Use

These instructions have been tested with Eracom CSA8000.

When the Eracom CSA 8000 PCI card has been installed according to the installation manual (the process is slightly different on each platform), you should have access to the Eracom key management utility called KMU.

KMU is the utility which is designed to do all the key creation and backup tasks.

Eracom Administration Manual covers the initial setup, but a short list of the required steps follows.

  1. Set the security options by logging into the administrator token. You can specify here, whether the device operates on the FIPS 140-1 mode or not.
  2. Select the slot 0. The slot with the number zero is the actual cryptographic device. The other slots represent the administrator token and the smart card reader slots.
  3. Create a key-backup key. This key is used to encrypt the backed-up keys. The backup key must have the WRAP value set to TRUE. Good defaults for the key are:
    • key type: 3DES
    • label: "backup key".

    The default values for other attributes are OK.

    Eracom has also a proprietary attribute EXPORT, which is similar to WRAP. However, the WRAP attribute requires that the backup key is created with the Private attribute set to FALSE, which is why we do not recommend this alternative. See Eracom Administrator Manual for more information.

  4. Create the CA key pair. It is recommended to use at least a 2048-bit RSA key. If key backup is needed, the key must have the Extractable attribute set to TRUE.

When the key is created, it is available for SSH Tectia Certifier once the PKCS #11 module has been added to it.

PreviousNextUp[Front page] [Index]

Want to see how PrivX can help your organisation?

Are you a DEVELOPER accessing cloud hosts, are you a IT ADMIN managing access & credentials in your corporation, are you BUSINESS MANAGER and want to save money or are you responsible of IT SECURITY in DevOps