Skip to content

Certificates at HSM

The certificate configuration defines the interaction between the private keys in the HSM and the certificates known to Windows.

Windows applications usually only interact with the certificates. The CSPs ( Cryptographic Services Providers) interface these certificates with the devices that store the private keys (such as HSMs and USB tokens), so it is important to understand how the environment is, and to know, for example, if a particular private key in the HSM has its certificate recognized by Windows.

Because of the way the Windows system architecture works, having the key and certificate loaded into the HSM does not automatically make them available to applications. The graphical console tries to leave as many steps as possible automated, but some user intervention may be necessary.

The configuration made via the graphical console remains in the user's scope (profile) and is therefore only valid and recognized for applications running under the current user's profile.

To use the settings in the Certificates option, you need to connect to the HSM. If there is no HSM user account already set up, the console will prompt you for one.

After connecting to the HSM, the console will display the following information at the top right:

  1. Dinamo Networks cloud connection status
  2. Telemetry status
  3. Model
  4. Serial number
  5. Firmware version
  6. Remote management status
  7. IP address
  8. User name (from HSM)

Warning

Integration with the cloud is optional and does not interfere with the normal operation of the HSM. If you are not using telemetry for the cloud, you can ignore the warning messages listed in the title bar.

The environment configuration options are grouped into tabs:

  1. Certificates
  2. Open Console HTTP
  3. Open Windows Certificates
  4. Open Cloud Console

The other options are direct actions:

  1. Start screen
  2. Exit

When loading the Users and Certificates settings, the console will scan the environment and look for possible relationships between private keys and certificates that can be configured automatically.

Certificates

Table of certificates Table of certificates

Table of certificates

The relationships between private keys, certificates and providers are managed using the options below.

To import a certificate file PKCS#12 (.pfx) for the HSM use the Import. Select the file and enter a name and password. The name will be used to identify the key in the HSMthe certificate will have the same name as the key suffixed with _cer. When a file PKCS#12 is imported, the certificate is automatically associated with the cryptographic service provider (CSP) of the HSM.

If the HSM is configured for telemetry with the Dinamo Networks cloud service, you can view the certificate usage report directly on the services website. The Usage report button opens a new window(default browser) on the certificate usage report page. You may need to log in to view the report.

Certificate report - cloud

Certificate report - cloud

To issue a certificate directly with a Certificate Authority (CA), use the Issue via CA button and select the CA. Each CA has its own policy on the documents and procedures required to issue a certificate from a key in the HSM, so this process must begin with prior contact with the CA. Check in the installed version of the graphical console which CAs are available.

On the refresh button, the console will scan the environment and look for possible relationships between private keys and certificates that can be configured automatically. This scan is also carried out whenever the Certificates option is selected on the main screen.

The columns in the certificate table can be resized, repositioned and sorted.

The search field performs a textual search in the table's rows, is case-sensitive and allows the use of wildcards with *.

Columns:

  1. Issued to
  2. HSM
  3. Windows
  4. Cloud
  5. Expiration date
  6. Private key in HSM
  7. Private key in the Cloud
  8. Key provider
  9. Container
  10. Digital printing

The actions in the table are triggered in a pop-up menu via the right mouse button. Depending on the status, the following options are available for each certificate:

  1. Open
  2. Enable
  3. Disable
  4. Enable all
  5. Disable all
  6. Upload to the cloud
  7. Switch to HSM provider
  8. Switch to a cloud provider

Pop up menu with available actions Pop up menu with available actions

Pop up menu with available actions

Open Console HTTP

The Open HTTP console button opens a new window(default browser) with the initial login screen of the HSM HTTP console. For more details on the console, see the HTTP Console topic.

HTTP Login Console HTTP Login Console

HTTP Login Console

Open Windows Certificates

Windows Certificate Manager

Windows Certificate Manager

Open Cloud Console

Displays the account currently configured and connected to the Dinamo Networks cloud service. You can change the account or close the session.

To stop sending telemetry from the HSM to the Dinamo Networks cloud service, use the Unlink HSM from cloud button.

To import certificates that are in the cloud into the HSM, use the Import certificates button. Only the certificate is imported, not the private key.

Warning

Integration with the cloud is optional and does not interfere with the normal operation of the HSM.

Login Dinamo Cloud

Login Dinamo Cloud