Fortinet white logo
Fortinet white logo

Administration Guide

NetHSMs

NetHSMs

NetHSMs can be configured on the FortiAuthenticator for the purpose of storing the private keys of Local CAs or issuing user and local service certificates with local CAs that have their private keys stored on the HSM.

Supported HSM servers currently include Safenet Luna v7.

Configuring an HSM server on FortiAuthenticator

Before creating the HSM server on FortiAuthenticator, you must first configure your HSM with an SSH administrator account and key partition.

To configure a new HSM server:
  1. Go to System > Administration > NetHSMs, and click Create New.
  2. In the Create New HSM Server window, configure the HSM server settings.
    Name

    The name of the HSM server.

    This name is for FortiAuthenticator reference purposes only and does not need to match any configuration on the HSM.

    HSM Server Type

    The HSM type.

    Safenet Luna v7 is currently the only supported HSM type.

    Server IP/FQDNThe address of the HSM.
    Partition PasswordThe password for the key partition on the HSM.
    Client IP

    The address of the FortiAuthenticator interface that the HSM can see.

    For example, if the FortiAuthenticator is behind a NAT device, this should be the NAT'ed address.

    Upload server certificate

    Upload the server certificate downloaded from your HSM.

  3. Click OK to complete setup.

    You can edit an existing HSM server to download the HSM client certificate, as well as view the server and client Network Trust Link (NTL) certificate fingerprints.

Authorizing FortiAuthenticator as an HSM client

Once your HSM server has been configured, you can authorize FortiAuthenticator as a client on your HSM.

To authorize FortiAuthenticator as a Safenet Luna client:
  1. Edit the previously configured HSM server on FortiAuthenticator, and click Download client certificate.
    Make sure the downloaded certificate uses the <FAC IP>.pem naming convention. For example: 172.16.68.47.pem.
  2. Upload the client certificate to the Safenet Luna HSM using SCP transfer.

    scp [certificate filename] admin@[HSM address]:

  3. Use SSH to connect to the HSM, then register your FortiAuthenticator, and associate it with a partition.

    ssh -1 admin [HSM address]

    client register -c [client name] -ip [client address]

    client assignpartition -c [client name] -p [partition name]

  4. Confirm the status. For example:

    client show -c my_fac

    ClientID: my_fac

    IPAddress: 172.16.68.47

    Partitions: my_partition

Configuring or importing an HSM CA certificate

After the HSM server has been configured and FortiAuthenticator is authorized as an HSM client, local CA certificates using the HSM can be created or imported at Certificate Management > Certificate Authorities > Local CAs. See Local CAs.

NetHSMs

NetHSMs

NetHSMs can be configured on the FortiAuthenticator for the purpose of storing the private keys of Local CAs or issuing user and local service certificates with local CAs that have their private keys stored on the HSM.

Supported HSM servers currently include Safenet Luna v7.

Configuring an HSM server on FortiAuthenticator

Before creating the HSM server on FortiAuthenticator, you must first configure your HSM with an SSH administrator account and key partition.

To configure a new HSM server:
  1. Go to System > Administration > NetHSMs, and click Create New.
  2. In the Create New HSM Server window, configure the HSM server settings.
    Name

    The name of the HSM server.

    This name is for FortiAuthenticator reference purposes only and does not need to match any configuration on the HSM.

    HSM Server Type

    The HSM type.

    Safenet Luna v7 is currently the only supported HSM type.

    Server IP/FQDNThe address of the HSM.
    Partition PasswordThe password for the key partition on the HSM.
    Client IP

    The address of the FortiAuthenticator interface that the HSM can see.

    For example, if the FortiAuthenticator is behind a NAT device, this should be the NAT'ed address.

    Upload server certificate

    Upload the server certificate downloaded from your HSM.

  3. Click OK to complete setup.

    You can edit an existing HSM server to download the HSM client certificate, as well as view the server and client Network Trust Link (NTL) certificate fingerprints.

Authorizing FortiAuthenticator as an HSM client

Once your HSM server has been configured, you can authorize FortiAuthenticator as a client on your HSM.

To authorize FortiAuthenticator as a Safenet Luna client:
  1. Edit the previously configured HSM server on FortiAuthenticator, and click Download client certificate.
    Make sure the downloaded certificate uses the <FAC IP>.pem naming convention. For example: 172.16.68.47.pem.
  2. Upload the client certificate to the Safenet Luna HSM using SCP transfer.

    scp [certificate filename] admin@[HSM address]:

  3. Use SSH to connect to the HSM, then register your FortiAuthenticator, and associate it with a partition.

    ssh -1 admin [HSM address]

    client register -c [client name] -ip [client address]

    client assignpartition -c [client name] -p [partition name]

  4. Confirm the status. For example:

    client show -c my_fac

    ClientID: my_fac

    IPAddress: 172.16.68.47

    Partitions: my_partition

Configuring or importing an HSM CA certificate

After the HSM server has been configured and FortiAuthenticator is authorized as an HSM client, local CA certificates using the HSM can be created or imported at Certificate Management > Certificate Authorities > Local CAs. See Local CAs.