Public Infrastructure Manage (CSNDPIM)
Use the CSNDPIM verb to manage the public key infrastructure stored inside the adapter.
You can manage a public key infrastructure inside the HSM to enable the use of standard-compliant X.509 certificates with CCA. For such certificates, you use a so-called trust parent, which is the certificate installed from the Trusted Key Entry workstation (TKE). The trust parent is the root of the trust chain of certificates that validate an operational X.509 certificate. The trust parent could be an actual certificate authority (CA) root certificate, or it could be a sub-CA certificate. The security is the same from the perspective of the adapter because the trust parent is installed under dual control security by administrators of the adapter.
Thus, the management of trust parents requires dual-control administrative capabilities through the TKE, while management of operational certificates is similar to existing public key tokens. The CSNDPIMOK interface to the public key infrastructure (PKI) in the HSM allows some limited management and query functions that do not require administrative authentication.
You supply the following information:
- To import a trust parent on the TKE:
- Supply a X.509 certificate that is DER or PEM encoded (binary DER), 64-byte label to initiate import.
- Generate a hash of the X.509 certificate, a 64-byte label and a keyword to complete import.
- A trust parent from a CCA point
of view may actually be a sub-CA certificate when considered from the view of an external PKI:
- The distinction for CCA is that a
trust parent:
- establishes a new line of trust in the HSM, much like a master wrapping key
- is loaded under dual control: load of a trust root is protected by two access control points, one for each phase of the process.
- Loading a sub-CA certificate as a trust parent is expected for some workflows:
- CCA does not implement a full PKI hierarchy internally. So any operational X.509 certificate should have its trust parent, namely the certificate for the issuer, loaded to the HSM.
- This is reasonable from a security perspective given that a sub-CA loaded as a trust parent has been loaded by two administrators, and so the same level of trust is justified.
Note: As a PKI participant, CCA cannot validate the signature on a sub-CA certificate loaded as a trust parent, since the issuer certificate is not part of the internal PKI.
- The distinction for CCA is that a
trust parent:
- The HSM has no independent access to a network and thus:
- cannot use NTP to maintain accurate timing for trust parent expiration
- cannot interrogate external revocation lists.
- To list trust parents (by label) :
- Supply a keyword.
- Supply a buffer to hold the information.
This verb does not need to document any Usage notes.