Go to content

Generation of PKCS#7 chains

PKCS#7 chains can be generated for the HSM by importing the final certificate into the web console. PKCS#7 chains are used, for example, in the Pix module APIs for message authentication.

The chain will be generated from the top certificates (leaf certificates) entered. The system will load the certificate(s), analyze its structure, identify the chain's distribution URL, download it and then generate a new chain including the certificate(s) entered plus the certificates from the complete hierarchy of intermediate and root Certificate Authorities (CAs). The operator can check the structure of the chain and after confirming, the import into the HSM will be made with the name entered.

Info

PKCS#7 chain generation is available from HSM firmware version 5.0.30.

Import and Generation

  1. Using a browser, connect to the HSM IP using https. (Ex: https://127.0.0.1). For more details on the web console check out the topic HTTP console.

  2. Enter your credentials to log in via the web console.

  3. In the Partition division of the menu, select Keys/Certificates.

Keys and certificates screen

  1. In the New Key/Object (circle in the top right corner with the +) select Import.

Import screen

  1. In the import dialog under Other, select the PKCS#7 Generator import method.

Generation screen

  1. Enter the name under which the string will be imported into the HSM. This must be the name entered by the application in the authentication API.

  2. Use the drop file field to drag and drop the leaf certificate(s) that will be used to generate the chain. If you prefer, you can click on the drop file area and browse through your file system and select the certificate(s).

Multiple certificates can be entered. If the certificates have the same chain, only one copy of each CA certificate will be included. Certificates can be in PEM or DER format. If the file entered is not recognized as a standard X.509 certificate, it will be rejected. If the same certificate is entered more than once, only the first copy will be used.

Certificate input screen

  1. As the certificates are displayed, you can see how the chain is set up. Click on Generated PKCS#7 Chain to see the list of certificates, with some summary information such as validity and Common Name.

The dialog screen can be scrolled vertically if necessary.

Chain structure screen

  1. Optionally, you can download the generated chain before importing it into the HSM, which is useful for a more detailed analysis of the object's final state.

  2. Confirm the import operation of the generated chain by clicking on Import.

Import success screen

Chain Visualization

  1. On the list of keys and objects screen, locate the string (object type PKCS#7) and click on the Edit action icon.

Screen list PKCS#7

  1. In the object properties dialog, select Chain Information, then click on PKCS#7 Chain to see a list of the certificates that make up the chain, with some summary information such as validity and Common Name.

PKCS#7 object screen

  1. You can download the chain for a more detailed analysis using your operating system. Use the Export option on the list of keys and objects screen.