Is your HSM at the end of its life (EOL)? Here you can find out how you can move forward!
Every product will, at some point in time, reach the end of its life span and will need to be replaced. In the case of HSMs (Hardware Security Modules), particularly when used in a PKI/CA – a Public Key Infrastructure Certificate Authority – this might seem more daunting than replacing simple network equipment. The reason for this is that the HSM holds the root key for the PKI – and getting the root key out of the HSM can pose a challenge.
Instead of simply picking the expensive next-generation platform of your existing vendor, you might want to consider alternatives. Securosys’ Primus HSMs offer a multitude of advantages over industry standard devices when used in a PKI/CA. The multi-tenancy of the Primus HSM allows one partition to be used for the root key of the main CA, while additional partitions can be used for the sub-CAs.
After the certificates for the sub-CAs have been signed by the root key, the partition of the main CA can be taken offline by Security Officers. That way it can no longer be accessed without the involvement of the Security Officers – a much simpler and more economical procedure than transporting an HSM device to a physical vault. Also, the Decanus Remote Administration Terminal enables you to manage Primus HSMs from your desk.
Depending on the setup of your existing PKI, any of these options will work when migrating to Securosys. All all of these processes have been used to successfully migrate existing systems to Securosys’ Primus HSMs and our CloudsHSM.
This is the easiest option. Depending on the setup of your PKI, in particular the settings of your old HSM, you can extract the root key from it. If that is possible, the recommended method is to use a wrapping key from your new Securosys Primus HSM. Using the wrapping key, export the root key from your old system and import it into the new system.
If your root key cannot be exported, then Option 2 might work for you.
When you were setting up your PKI (or when it was set up for you), you might have generated the root key outside the HSM to prevent vendor lock-in and to have a backup. If you have such a backup – typically on paper, stored in a safety deposit box at your bank – then you can simply import it into your new Primus HSM.
Should you have no backup, then Option 3 is the solution for you.
Rather than importing the old root key, you can renew your root key and CA certificate with a key roll-over onto the new HSM. If that option is not available, simply set up a new PKI with a new root key. From this point on, all new certificates will be issued by the new PKI. Depending on the lifetime of the previously issued certificates and when the last one was created, you will have to keep your old system running for one to two more years. The old system will no longer be used to make new certificates. Instead, it will only be kept operational to maintain the certificate revocation list (CRL) and the OCSP (Online Certificate Status Protocol). Once the last certificate from the old system has expired, you can simply dismantle it. You may also speed up the whole process by revoking all existing certificates and re-issue them on the new PKI/CA and then maintain a final CRL for a couple years.
In addition, you might also consider cross-signing the certificates of the new sub-CAs. That way, you would have those certificates signed by both, the root key of the new CA and the root key of the old CA. This provides an alternate trust path while maintaining backward compatibility.
The Primus system operates well with most major PKI applications on the market, such as MS ADCS, EJBCA Enterprise (PrimeKey), SwissPKI, Entrust Security Manager, and many more.
While some planning is necessary ahead of time, you can take full advantage of the Primus benefits after moving away from your old system. These benefits include simple clustering, remote management, and the ability to further secure your system by implementing geo-redundancy. As shown above, migrating your PKI to Securosys’ Primus HSMs is easy.
For more information and Securosys partners that can help with a PKI migration, please contact us.
For more information and Securosys partners that can help with a PKI migration, please contact us.
