Skip to content

PKCS#7 chains

PKCS#7 chains can be generated for the HSM by importing the final certificate into the web console. PKCS#7 chains are used, for example, in the APIs of the Pix module to authenticate messages.

The chain will be generated from the top certificates (leaf certificates) entered. The system will load the certificate(s), analyze its structure, identify the chain's distribution URL, download it and then generate a new chain including the certificate(s) entered plus the certificates of the complete hierarchy of intermediate and root Certificate Authorities (CAs). The operator can check the structure of the chain and, once confirmed, import it into the HSM will be made with the name entered.

Info

PKCS#7 chain generation is available from HSM firmware version 5.0.30.

Import and Generation

  1. Using a browser, connect to the IP of the HSM using https. (Ex: https://127.0.0.1). For more details on the web console check out the topic HTTP console.

  2. Enter your credentials to log in via the web console.

  3. In the Partition division of the menu, select Keys/Certificates.

  4. In the New Key/Object (icon in the top right corner) select Import.

    Import option Import option
    Import option

  5. In the import dialog under Other, select the PKCS#7 Generator import method.

  6. Enter the name under which the string will be imported into the HSM. This must be the name entered by the application in the authentication API.

  7. Use the drop file field to drag and drop the leaf certificate(s) that will be used to generate the chain. If you prefer, you can click on the drop file area and browse through your file system and select the certificate(s).

    Note

    Multiple certificates can be entered. If the certificates have the same chain, only one copy of each CA certificate will be included. Certificates can be in PEM or DER format. If the file entered is not recognized as a standard X.509 certificate, it will be rejected. If the same certificate is entered more than once, only the first copy will be used.

    Certificate input Certificate input
    Certificate input

  8. As the certificates are displayed, you can see how the chain is set up. Click on the generated PKCS#7 chain to see the list of certificates, with some summary information such as validity and Common Name.

    The dialog screen can be scrolled vertically if necessary.

  9. Optionally, you can download the generated chain before importing it into the HSM, which is useful for a more detailed analysis of the object's final state.

  10. Confirm the import operation of the generated chain by clicking on Import.

    Import chain generated Import chain generated
    Import chain generated

Chain Visualization

  1. On the keys and objects list screen, locate the string (object type PKCS#7) and click on the Details action icon.

  2. In the object properties dialog, select Chain Information, then click on PKCS#7 Chain to see a list of the certificates that make up the chain, with some summary information such as validity and Common Name.

    PKCS#7 chain details PKCS#7 chain details
    PKCS#7 chain details

  3. You can download the chain for a more detailed analysis using your operating system. Use the Export option.