Go to content

Import

Main menu option: 4 - Import

Imports keys and objects into the user's partition. The import is always done from a file on the workstation, or in some cases, by manual input from the user.

Warning

Additional, specialized import methods are available in the HSM Operation menu under the EFT and SPB options. See the EFT and SPB topics for more information.

The following types of objects can be imported via the console interfaces:

  1. Symmetric keys: DES, 3DES and AES keys.

  2. Asymmetric keys: RSA and ECC keys.

  3. Other objects: certificates and chains.

The imported object follows the same rules for creating objects (see topic Creation).

The indication (local) always refers to a file name on the user's workstation and the indication (hsm) refers to an object name of the HSM partition.

As long as the authenticated user has permission to create objects in other partition(s), the operation can be performed by indicating the name of the partition and the name of the object with the formation rule:

partition/object

When operating in restricted mode, the RSA KEK method is available for importing symmetric keys (3DES and AES) and the PKCS#8 method is available for importing asymmetric keys (RSA or ECC) with derivation of the AES 256 encryption key by a 16-character password.

Attention

In KEK(Key Encryption Key) operations, the encrypting key must not be weaker than the transported key.

Symmetric Keys

Symmetric keys can be imported using the following methods:

  1. Protected by KEK, aKey Encryption Key.

    If the KEK is an RSA key, the expected enveloping method is the PKCS#1 version 2.1 standard, with the following encryption scheme RSAES-OAEP. The user must have in their partition the private key equivalent to the original public key that closed the envelope.

  2. In clear text.

Asymmetric Keys

Asymmetric keys can be imported into the HSM using the following methods:

  1. Protected by KEK, aKey Encryption Key.

  2. PKCS#1; the RSA public and/or private key is imported in clear text with DER encoding. In the case of a private key, the file format must be ASN.1 as defined in the PKCS#1 v1.5 standard in section 7.1. In the case of a public key, the file must contain the representation in section 7.2.

  3. PKCS#8; in this option the private key (RSA or ECC/ECDSA) can be imported in clear text or protected by a digital envelope. For details on the standards, see the RSA Labs Public-Key Cryptography Standards (PKCS) documents.

    In restricted mode, RSA keys can only be imported via the PKCS#8 standard using a digital envelope, deriving an AES 256 key from a password of at least 01 character, and the derivation is done according to the PKCS#5 version 2.0 standard.

  4. PKCS#12; the certificate and the corresponding private key contained in a PKCS#12 file (usually files with a .pfx or .p12 extension, protected by encryption derived from a password) are imported into the HSM; the key and the certificate are imported as independent objects and can later be removed separately without interfering with each other. For details on the standards, see the RSA Labs Public-Key Cryptography Standards (PKCS) documents.

  5. Protected by a public key whose equivalent private key exists on the user's partition.

Certificates, Chains and Files

The following types of objects can be imported under Other Objects:

  1. Certificate: the file indicated must be an X.509 certificate, such as an ICP-Brasil standard certificate;

  2. PKCS#7 standard certificate chains: the file indicated must be an X.509 certificate chain;

  3. File: objects that are opaque to the HSM, interpreted as just a sequence of bytes. The HSM will always try to identify the type of the imported object, so if the file indicated is, for example, an X.509 certificate, a CRL or a chain of valid PKCS#7 standard certificates (files in BASE64 or DER format), the HSM will identify the type and indicate the correct type in the object's attributes.

  4. PSKC Translate: the file indicated must be a PSKC(Portable Symmetric Key Container) file. This type of file is normally used for importing seeds OATH (for more details see the topic oath).

Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master

Keys/Objects - Import



 1 - Symmetric Keys
 2 - Asymmetric Keys
 3 - Others













 0 - Main Menu

Option:

Asymmetric key import using PKCS#12 file

Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master

Keys/Objects - Import - Asymmetric Keys - PKCS#12

File (local) : lab.pfx
Private key password : ********
Exportable (y/[n]):
Private key name : labk
X.509 certificate name (HSM) : labc
Public key name (ENTER for none) : labpub

File loaded successfully.

Press ENTER key to continue...