In this recipe, we initialized a CloudHSM cluster and created our first HSM within it. I used the default VPC for convenience. You can also use it if you are experimenting with HSM for learning purposes. For practical use cases, we should install HSM in a private subnet within a custom VPC for added security. We will look at VPCs in detail in the next chapter.
Before initializing the cluster, we need to download a CSR and sign it. For practical use cases, a certificate authority such as Verisign should sign it to create a signed certificate. For development and testing purposes, we can use a self-signed certificate to sign it using OpenSSL. To do this, follow these steps:
- Create a private key using OpenSSL.
- Use the private key to create a self-signed signing certificate (issuing certificate).
- Use the self-signed signing certificate (issuing certificate) to sign the CSR we downloaded from the AWS console.
- Finally, upload both our signed CSR certificate and the self-signed issuing certificate to AWS.
First, we logged into the system as a user with the PRECO role, which is a temporary user role that exists on the first HSM in our cluster. After we change the default password for this user, we observed that its type changed from PRECO to CO. A user of the AU type was also present.
With CloudHSM, we have four main user types:
- Precrypto Officer (PRECO)
- Crypto Officer (CO)
- Crypto User (CU)
- Appliance User (AU)
PRECO is a user role that is created by AWS that we can use until we update the password. Once updated, the user's type is changed to CO. We can create more users with the CO role. The first CO user is referred to as the Primary PCO. A Crypto Officer is responsible for managing users. CU is responsible for managing keys, including creating, deleting, sharing, importing, and exporting them. CU is also responsible for cryptographic operations such as encryption, decryption, signing, verifying, and more. AU is a limited permission user that is generally used by AWS for cloning and synchronization activities.