Forum Discussion

flypast's avatar
flypast
Icon for Altostratus rankAltostratus
Feb 26, 2018

F5 and SafeNet HSM integration

As f5 doc suggest we can use fipskey.nethsm to create key/CSR/certificate as below:

 

Generating a key/certificate using the fipskey.nethsm utilityBefore you generate a key/certificate, make sure that the SafeNet Luna SA client is running on the BIG-IP® system.You can use the fipskey.nethsm utility to generate private keys and self-signed certificates on the BIG-IP system.Display the available options.fipskey.nethsm --helpGenerate the key, using any options you need.fipskey.nethsm --genkey -o

 

This example generates the three files that follow:

 

fipskey.nethsm --genkey -o siterequest

 

/config/ssl/ssl.key/siterequest.key

 

/config/ssl/ssl.csr/siterequest.csr

 

/config/ssl/ssl.crt/siterequest.crt

 

The key is saved in /config/ssl/ssl.key/.key. The certificate request is saved in /config/ssl/ssl.csr/.csr. The self-signed certificate is saved in /config/ssl/ssl.crt/.crt.

 

After you generate keys and certificates, you need to add the local key to the BIG-IP configuration using tmsh. The local key points to the HSM key, which resides in the HSM.

 

I am a bit of confused with the above. My question is: is "siterequest.key" local key which is used by F5 LTM to access the real private key stored on HSM.

 

No RepliesBe the first to reply