NetHSMs
NetHSMs can be configured on the FortiAuthenticator for the purpose of storing the private keys of Local CAs or issuing user and local service certificates with local CAs that have their private keys stored on the HSM.
Supported HSM servers currently include Safenet Luna v7.
Configuring an HSM server on FortiAuthenticator
Before creating the HSM server on FortiAuthenticator, you must first configure your HSM with an SSH administrator account and key partition.
To configure a new HSM server:
- Go to System > Administration > NetHSMs, and click Create New.
- In the Create New HSM Server window, configure the HSM server settings.
Name The name of the HSM server.
This name is for FortiAuthenticator reference purposes only and does not need to match any configuration on the HSM.
HSM Server Type The HSM type.
Safenet Luna v7 is currently the only supported HSM type.
Server IP/FQDN The address of the HSM. Partition Password The password for the key partition on the HSM. Client IP The address of the FortiAuthenticator interface that the HSM can see.
For example, if the FortiAuthenticator is behind a NAT device, this should be the NAT'ed address.
Upload server certificate
Upload the server certificate downloaded from your HSM.
- Click OK to complete setup.
You can edit an existing HSM server to download the HSM client certificate, as well as view the server and client Network Trust Link (NTL) certificate fingerprints.
Authorizing FortiAuthenticator as an HSM client
Once your HSM server has been configured, you can authorize FortiAuthenticator as a client on your HSM.
To authorize FortiAuthenticator as a Safenet Luna client:
- Edit the previously configured HSM server on FortiAuthenticator, and click Download client certificate.
Make sure the downloaded certificate uses the<FAC IP>.pem
naming convention. For example:172.16.68.47.pem.
- Upload the client certificate to the Safenet Luna HSM using SCP transfer.
scp [certificate filename] admin@[HSM address]:
- Use SSH to connect to the HSM, then register your FortiAuthenticator, and associate it with a partition.
ssh -1 admin [HSM address]
client register -c [client name] -ip [client address]
client assignpartition -c [client name] -p [partition name]
- Confirm the status. For example:
client show -c my_fac
ClientID: my_fac
IPAddress: 172.16.68.47
Partitions: my_partition
Configuring or importing an HSM CA certificate
After the HSM server has been configured and FortiAuthenticator is authorized as an HSM client, local CA certificates using the HSM can be created or imported at Certificate Management > Certificate Authorities > Local CAs. See Local CAs.