KB Article #175873
Setup MailGate to store its private keys for proxy S/MIME decryption on an external HSM device
Guideline for setting up MailGate to store its private keys for proxy S/MIME decryption on an external Hardware Security Module (HSM) device. This guideline outlines the steps using SafeNet LunaSA 5.1 as HSM.
Resolution
I. HSM Configuration1. On MailGate: Generate a client certificate:
Admin UI > Administration > HSM > Client certificate > Generate
2. On MailGate: Export the public key:
Admin UI > Administration > HSM > Client certificate > <certificate name> > Export
3. On LunaSA: Download LunaSA’s key:
bash-2.05# scp admin@myLuna:server.pem .
admin@myLuna's password:
Expected output:
server.pem 100%
4. On LunaSA: Upload the exported MailGate key (step #3) to LunaSA:
~ # scp <your_MG_cert_name>.pem admin@myLunaSA:
admin@myLunaSA's password:
Expected output:
<your_MG_cert_name>.pem 100%
5. On LunaSA: Register MailGate as a client:
[luna-sa5-1] lunash:>client register -client mailgate -ip XX.XX.XX.XX
Expected output:
'client register' successful.
Command Result : 0 (Success)
6. On LunaSA: Assign a partition to the newly registered client:
[luna-sa5-1] lunash:>client assignPartition -client mailgate-partition mg
Expected output:
'client assignPartition' successful.
Command Result : 0 (Success)
7. On MailGate: Import LunaSA’s public key, put in the partition password and select the partition assigned at step #6. Type in the partition password.
Admin UI > Administration > HSM
8. On MailGate: Test connection and verify it is successful.
Sample good configuration
II. Storing S/MIME certificate private keys on HSM:
Scenario A: Self-signed domain certificate, generated in MailGate:
1. Generate the domain certificate:
Administration > Certificates > Local > New S/MIME Certificate
- Select the domain
- Certificate Purpose: Signature & Encryption
- Enable for Proxy S/MIME usage
- Select 'New key on HSM': put in a name for the key and chose key size.
- Simple Distinguished Name: Put in all details needed
- Common name: your-domain.com
- Email address: secure-server@your-domain.com
2. Once you saved the certificate, make sure that it appears as “trusted”. You can also
select the “Trust unconditionally” option from the drop-down
Scenario B: Third-party certificate with a key that exists on LunaSA:
1. Import the private key in LunaSA:
cmu importkey -in /root/<your_key_name>.pem -keyalg RSA
2. In MailGate, import the public pem certificate:
- Admin UI > Administration > Certificates > Local > Import
- Chose the option “PEM with HSM key”
- Import the certificate
NOTE: You should import all relevant certificates from the chain under “Root” and
“Intermediate” sections respectively.
3. At the same page (Admin UI > Administration > Certificates > Local > drop-down option)
verify the following:
- The new certificate is trusted
- “Edit domain” >> add your domain
- Set default signing, set default encrypting
- Purpose must be “Signature and Encryption”
- “Enable for Proxy S/MIME”
Scenario C: Certificate, generated on MailGate and signed by a third-party CA:
1. Generate the domain certificate:
Administration > Certificates > Local > New S/MIME Certificate
- Select the domain
- Certificate Purpose: Signature & Encryption
- Enable for Proxy S/MIME usage
- Select 'New key on HSM': put in a name for the key and chose key size
- Simple Distinguished Name: Put in all details needed
- Common name: your-domain.com
- Email address: secure-server@your-domain.com
2. [LUNA] List the private keys in the HSM server to check the handle # of the key,
generated at step #1
cmu list
3. [LUNA] Generate a CSR, using the private key from step #1
cmu requestcertificate <parameters>
4. [LUNA/CA/MG] Download the CSR, sign it and import the newly signed public certificate
in MailGate:
- Admin UI > Administration > Certificates > Local > Import
- Chose the option “PEM with HSM key”
- Import the certificate
NOTE: You should import all relevant certificates from the chain under “Root” and
“Intermediate” sections respectively.
5. Delete the old, self-signed public key from MailGate.
6. At the same page (Admin UI > Administration > Certificates > Local > drop-down option)
verify the following:
- The new certificate is trusted
- “Edit domain” >> add your domain
- Set default signing, set default encrypting
- Purpose must be “Signature and Encryption”
- “Enable for Proxy S/MIME”