Discover keys on HSMs
There are two way to discover an HSM keypair:
By entering a key label
A key label refers to a set label that the user assigned to the key during the setup process on the HSM.
By uploading a file
We support .PEM and .KEY (DER-encoded public keys) files.
Before you begin
Review the following statements:
We only support Luna HSMs and DPOD.
We support version Luna 7 of SafeNet.
We support the following key algorithms and key sizes:
Table 1.Key algorithm
Key size
RSA
2048
3072
4096
65537 (only supported as the modulus)
ECDSA
P-256
P-384
EdDSA
Ed25519
In order to make a key discoverable, the HSM must be mapped to a specific account on the CA Manager.
If an HSM is shared and mapped to all accounts, then the import function won't work.
HSM partitions that don't have an escrow key created in CA Manager won't display as an option to select.
This restriction is a security measure that prevents cross-account keypair imports on shared HSMs.
For every keypair discovery, one cryptographic unit is consumed.
Discover a keypair on an HSM partition
In the Software Trust menu, go to Keypairs > Keypairs.
Select Discover HSM keypair.
Enter a descriptive Keypair alias.
This name will be used to identify and display the keypair in the Keypairs page.
Select how you want to discover the key. You can enter a key label (Discover key label) or upload a file (Discover with public key).
For Discovery key label:
Enter the Key label that was entered during the setup process on the HSM.
Select the Partition where the keypair is stored.
Select the Algorithm for the keypair.
For Discovery with public key:
Select the Partition where the keypair is stored.
Select the Algorithm for the keypair.
Select the File type of the file that you want to upload. We support .PEM and .KEY (DER-encoded public keys) files.
Upload the file.
Select Initiate key discovery, and then follow the on-screen prompts.