Which CloudHSM certificates are used for the client-server end-to-end encrypted connection?

Short description

The end-to-end encrypted connection between the CloudHSM client and HSMs within a CloudHSM Cluster is established through two nested TLS connections. For more information, see CloudHSM client end-to-end encryption.

Resolution

Follow these instructions to set the end-to-end encrypted communication with an HSM.

Note: Be sure to use the specified certificates to avoid a TLS connection failure.

Server TLS Connection

Establish a TLS connection from the client to the server that hosts the HSM hardware. This is a two-way TLS connection between the server and client.

The server sends a self-signed certificate. You can run a command similar to the following to view this self-signed certificate details:

serial=B7FA7A40976CBE82
issuer= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com

subject= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com

$ openssl s_client -connect <HSM_IP>:2223 2> /dev/null | openssl x509 -subject -issuer -serial -noout

The HSM client verifies that this certificate is included in the CA trust path in the /opt/cloudhsm/etc/cert directory. Two certificates are included in the cloudhsm-client package similar to the following:

$ cd /opt/cloudhsm/etc/certs
$ ls
21a10654.0  712ff948.0

$ openssl x509 -subject -issuer -serial -noout -in 21a10654.0
subject= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com
issuer= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=AWS Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com
serial=B7FA7A40976CBE82

$ openssl x509 -subject -issuer -serial -noout -in 712ff948.0
subject= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com
issuer= /C=US/ST=Virginia/L=Herndon/O=AWS/OU=Cryptography/CN=CloudHSM/emailAddress=cloudhsm-team@amazon.com
serial=A7525B285D1C2BB5

The HSM client sends the client certificate to the /opt/cloudhsm/etc/client.crt directory. The client certificate must be either the default certificate included in the CloudHSM client CA certificate on the CloudHSM client in the /opt/cloudhsm/etc/customerCA.crt directory.

The server verifies that this is either the default certificate or a certificate issued by customerCA.crt.

HSM TLS Connection

Establish a second TLS connection from the client to the HSM from within the first TLS connection layer. The server sends the CloudHSM cluster certificate issued during the cluster initialization. Download the certificate with the following command:

aws cloudhsmv2 describe-clusters --query "Clusters[?ClusterId=='<Cluster_ID>'].Certificates.ClusterCertificate" --output text

The client verifies that this is a certificate issued by the customerCA.crt in the /opt/cloudhsm/etc/customerCA.crt directory. Then, the client verifies connection to the HSM in the Cluster.

Note: The server certificate and the CloudHSM cluster certificate can't be changed or renewed.