By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudHSMv2 Force "TLS client-server mutual authentication" or disable default key on HSM

0

I am assuming that when you follow the steps to use "TLS client-server mutual authentication," the default key can still be used.

  • Is it possible to only allow "TLS client-server mutual authentication" connections to an HSM?

  • In other words, can we disable connections where the client uses the default ssl key?

  • Is there any difference in authorization between a session on a "TLS client-server mutual authentication" ssl connection and a session on a default key ssl connection?

    • If not, why would someone bother to use a trust-anchor-signed ssl key if anyone can make an equally authorized session with the default key?

Background:

https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started-ssl.html

AWS CloudHSM uses an SSL certificate to establish a connection to an HSM. A default key and SSL certificate are included when you install the client. You can, however, create and use your own. Note that you will need the self–signed certificate (customerCA.crt) that you created when you initialized your cluster.

...

To use a custom certificate and key for TLS client-server mutual authentication with Client SDK 5 on Linux

Topics
Security, Identity, & Compliance
Tags
AWS CloudHSM
Language
English
AWS-User-8882385
asked 2 years ago396 views
1 Answer
0

  1. You can only allow TLS client-server mutual authentication and disable the default key in order to do so you will have to use the Client SDK 5 configure tool to update client-side configuration files. https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sdk-5.html
    --server-client-cert-file <Client/certificate/file>
    Path to the client certificate used for TLS client-server mutual authentication. Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with --server-client-key-file.
    Required: No

    --server-client-key-file <Client/key/file>
    Path to the client key used for TLS client-server mutual authentication Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with --server-client-cert-file.
    Required: No

  2. The difference is that mutual TLS (Transport Layer Security) authentication is an optional component of TLS that offers two-way peer authentication. Mutual TLS authentication adds a layer of security over TLS and allows your services to verify the client that's making the connection.The client in the client-server relationship also provides an X.509 certificate during the session negotiation process. The server uses this certificate to identify and authenticate the client. This process helps to verify if the certificate is issued by a trusted certificate authority (CA) and if the certificate is a valid certificate. It also uses the Subject Alternative Name (SAN) on the certificate to identify the client. https://docs.aws.amazon.com/app-mesh/latest/userguide/mutual-tls.html

AWS
Shahna
answered a year ago
  • OS
    8 months ago

    About the original question :

    • why would someone bother to use a trust-anchor-signed ssl key if anyone can make an equally authorized session with the default key ?

    So using my own produced ssl key and cert (instead of the default one) create a better secure (encrypted) communication between the client and the cloudHSM. Though this cannot be used to restrict access to cloudHSM from a specific client machine because the default key and cert can always be used from any other machine (along with the root CA). Is that correct ???

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content