Users and certificates

The certificate configuration defines the interaction between the private keys in the HSM and the certificates known to Windows.

Windows applications usually only interact with the certificates. The CSPs ( Cryptographic Services Providers) interface these certificates with the devices that store the private keys (such as HSMs and USB tokens), so it is important to understand how the environment is, and to know, for example, if a particular private key in the HSM has its certificate recognized by Windows.

Because of the way the Windows system architecture works, having the key and certificate loaded into the HSM does not automatically make them available to applications. The graphical console tries to leave as many steps as possible automated, but some user intervention may be necessary.

The configuration made via the graphical console remains in the user's scope (profile) and is therefore only valid and recognized for applications running under the current user's profile.

To use the settings in the Certificates option, you need to connect to the HSM. If there is no HSM user account already set up, the console will prompt you for one.

Credential warning message

After connecting to the HSM, the console will display a status bar, a title bar and a side menu. The status bar (bottom) displays the console version. The title bar displays the Dinamo Networks cloud connection status information, a warning about the HSM's telemetry with the cloud, the HSM's serial number, IP address and firmware version.

Title bar

Warning

Integration with the cloud is optional and does not interfere with the normal operation of the HSM. If you are not using telemetry for the cloud, you can ignore the warning messages listed in the title bar.

The environment configuration options are grouped into tabs:

1. HSM users
2. Certificates
3. Backup
4. Dinamo Super Cloud
5. Open HTTP Console

The other options are direct actions:

1. Start screen
2. Exit

When loading the Users and Certificates settings, the console will scan the environment and look for possible relationships between private keys and certificates that can be configured automatically.

HSM users

HSM users tab

Defines which HSM user is being used for access; the name is displayed at the top of the page.

If the currently configured user has permission, you can create new users in the HSM ( Create user button). This operation does not change the current configuration.

New user

You can share the current partition with other HSM users ( Share button). If you have list permission you can choose from a list, otherwise you must enter the name of the user you want to share the partition with.

Attention

Once the partition has been shared, all certificates and keys will be available to the selected user(s).

Sharing with other users

To change the current HSM user, use the Change user button. If you have list permission you can choose from a list, otherwise you must enter the name of the new user.

Switching users

To change the password of the current HSM user, use the Change password button and enter the new password.

Attention

HSM administrators are not allowed to change other users' passwords. Only the user himself can change his password. There is no option to recover passwords if they are lost. This is a security feature and a requirement of approval standards.

Certificates

Table of certificates

The relationships between private keys, certificates and providers are managed using the options below.

To import a PKCS#12 certificate file (.pfx) for HSM use the Import. Select the file and enter a name and password. The name will be used to identify the key in the HSM, the certificate will have the same name as the key suffixed with _cer. When a PKCS#12 file is imported, the certificate is automatically associated with the HSM's cryptographic service provider (CSP).

Importing certificates

If the HSM is configured for telemetry with the Dinamo Networks cloud service, you can view the certificate usage report directly on the services website. The Usage report button opens a new window(default browser) on the certificate usage report page. You may need to log in to view the report.

Certificate report - cloud

To issue a certificate directly with a Certificate Authority (CA), use the Issue via CA button and select the CA. Each CA has its own policy on the documents and procedures required to issue a certificate from a key in the HSM, so this process must begin with prior contact with the CA. Check in the installed version of the graphical console which CAs are available.

Issuing certificates via CA

On the refresh button, the console will scan the environment and look for possible relationships between private keys and certificates that can be configured automatically. This scan is also carried out whenever the Certificates option is selected on the main screen.

Table of certificates

The columns in the certificate table can be resized, repositioned and sorted.

The search field performs a textual search in the table's rows, is case-sensitive and allows the use of wildcards with *.

Columns:

1. Issued to:
2. HSM:
3. Windows:
4. Cloud:
5. Expiration date:
6. Private key in HSM:
7. Private key in the Cloud:
8. Key provider:
9. Container:
10. Digital printing:

The actions in the table are triggered in a pop-up menu via the right mouse button. Depending on the status, the following options are available for each certificate:

Pop up menu with available actions

1. Open:
2. Enable:
3. Disable:
4. Enable all:
5. Disable all:
6. Upload to the cloud:
7. Switch to an HSM provider:
8. Switch to a cloud provider:

Backup

Performs a backup operation of the HSM database. The current user must have the necessary permissions. Select the destination file and enter the protection password. A backup can be performed without interrupting HSM operation.

Restoring a backup also requires permission. The restore is only processed and effective after an HSM reboot.

Attention

Restoring the backup completely overwrites the HSM base. After the operation, the HSM's activation SVMK(smart cards or activation password) will be the one that was configured on the HSM when the backup was generated.

HSM Backup and Restore

Dinamo Super Cloud

Displays the account currently configured and connected to the Dinamo Networks cloud service. You can change the account or close the session.

To stop sending telemetry from the HSM to the Dinamo Networks cloud service, use the Unlink HSM from cloud button.

To import certificates that are in the cloud into the HSM, use the Import certificates button. Only the certificate is imported, not the private key.

Warning

Integration with the cloud is optional and does not interfere with the normal operation of the HSM.

Connection to Super Cloud

Open HTTP console

The Open HTTP console button opens a new window(default browser) with the initial login screen of the HSM HTTP console. For more details on the console, see the HTTP Console topic.

HSM HTTP console