Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

PreviousNextUp[Front page] [Index]

Preparing an Eracom HSM for Use

These instructions have been tested with Eracom CSA8000.

When the Eracom CSA 8000 PCI card has been installed according to the installation manual (the process is slightly different on each platform), you should have access to the Eracom key management utility called KMU.

KMU is the utility which is designed to do all the key creation and backup tasks.

Eracom Administration Manual covers the initial setup, but a short list of the required steps follows.

  1. Set the security options by logging into the administrator token. You can specify here, whether the device operates on the FIPS 140-1 mode or not.
  2. Select the slot 0. The slot with the number zero is the actual cryptographic device. The other slots represent the administrator token and the smart card reader slots.
  3. Create a key-backup key. This key is used to encrypt the backed-up keys. The backup key must have the WRAP value set to TRUE. Good defaults for the key are:
    • key type: 3DES
    • label: "backup key".

    The default values for other attributes are OK.

    Eracom has also a proprietary attribute EXPORT, which is similar to WRAP. However, the WRAP attribute requires that the backup key is created with the Private attribute set to FALSE, which is why we do not recommend this alternative. See Eracom Administrator Manual for more information.

  4. Create the CA key pair. It is recommended to use at least a 2048-bit RSA key. If key backup is needed, the key must have the Extractable attribute set to TRUE.

When the key is created, it is available for SSH Tectia Certifier once the PKCS #11 module has been added to it.


PreviousNextUp[Front page] [Index]

===AUTO_SCHEMA_MARKUP===