Skip to main content

Verifying Keys on the HSM

This section describes how to verify that Key Manager is able to use keys from its HSM partition. The procedures described in this section are optional. These procedures may be performed on any Key Manager Server (after the Key Manager system and all the Key Manager Servers have been set up to use HSM).

To test that the HSM setup works as intended, verify that the key-generation tools on the Key Manager Server is able to read and decode keys found on the HSM. This is done as follows:

  1. If using card-based protection, save the PIN code of the card to a file on the Key Manager Server.

    After you have created the PIN-code file, set the environment variables SSH_PKCS11_PINFILE to point to the file (replace hsm/pinfile with the path of the file containing the HSM-partition PIN code):

    # export SSH_PKCS11_PINFILE=hsm/pinfile

    Remember to delete the PIN-code file after completing verification.

  2. Activate the sshmgr runtime environment to enable manual use of the Key Manager key-generation

    # source /opt/sshmgr-runtime/bin/activate

  3. Finally, use the Key Manager key-generation tool to verify that keys in the HSM partition can be read:

    # /opt/sshmgr-runtime/bin/ssh-keygen \
    -D /opt/nfast/toolkits/pkcs11/libcknfast.so

    The command should output the public-key data of the keys in the HSM partition.