Configure CyberArk Trust Protection Foundation CryptoHub integration

This section covers the following integration configuration tasks:

Create an HSM connector and generate a key
Enable CyberArk Advanced Key Protect
Generate an HSM private key
Configure code signing

Create a connector and generate a key

Perform the following steps to create an HSM connector and generate an HSM-Protected encryption key:

Open the CyberArk Configuration Console application.

Select the Connectors node.

Select [ Create HSM Connector ] in the Actions panel.

Enter the local master admin username and password and click [ OK ].

In the Create New HSM (Cryptoki) Connector window, specify a Name for the HSM connector.

For Cryptoki Dll Path, select [ Browse… ] and select the Futurex PKCS #11 DLL file at the following path:

Text

C:\Program Files\Futurex\fxpkcs11\fxpkcs11.dll

Select [ Load Slots ].

Select the slot number configured in the FXPKCS11 configuration file (the default is slot 0). This is where CyberArk Trust Protection Foundation accesses the encryption keys.

For User Type, leave the default option selected, Crypto Officer (User). CyberArk TPF uses the identity configured inside the FXPKCS11 configuration file when connecting to the CryptoHub.

For Pin, enter the CryptoHub identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.

Select [ Verify ].

If the connection to the CryptoHub is successful, a new Permitted Keys section populates in the window.

Select [ New Key… ].

In the Create New HSM Key window, enter a Name and select the Type for the key, and select [ Create ].

If key creation is successful, the key is now viewable inside the CyberArk Trust Protection Foundation service on the CryptoHub. The name of the key is shown in the list of Permitted Keys in the Create New HSM Key window.

If you plan to use CyberArk CodeSign Protect to store private code signing keys on the CryptoHub, select the Allow Key Storage checkbox here.

Select [ Create ] to save and close the window.

Enable CyberArk Advanced Key Protect

HSM Private Key Generation and CyberArk Code Signing Certificate Private Key Storage require you to enable CyberArk Advanced Key Protect. Perform the following steps to do this:

Open the CyberArk Configuration Console application.

Select [ Enable CyberArk Advanced Key Protect… ] in the Actions panel.

Enter the local master admin username and password and select [ OK ].

Review the information in the following dialog and select [ Enable ] to proceed.

Perform the following steps to restart the IIS, Venafi Platform, and Logging services:

Select the Product node.
Select Website and then select [ Restart ] in the Actions panel.
Select Venafi Platform and then select [ Restart ] in the Actions panel.
Select Logging and then select [ Restart ] in the Actions panel.

Generate HSM Private Key

CyberArk Trust Protection Foundation uses the CryptoHub for private key generation for SSH keys and certificates.

CyberArk Trust Protection Foundation uses Certificate Authority (CA) template objects to manage the certificate life cycle. Creating one is a prerequisite to HSM Key Generation. See Venafi documentation for more information.

Configure the Venafi platform policy

Perform the following steps to configure the Venafi platform policy to enable the CryptoHub for HSM key generation:

Select Policy Tree in the main menu at the top of the page.

In the Policy : Certificate window, go to the Certificate tab.

Under Other Information, perform the following steps:

Select the name of the HSM Connector you created for the CryptoHub in the Key Generation drop-down menu.
Select the name of the HSM-Protected Encryption Key you created on the CryptoHub.

Select [ Save ] at the bottom of the page.

Generate the certificate

Perform the following steps to generate the certificate:

Select Policy Tree in the main menu at the top of the page.

On the left-side menu, select [ Add ] under the Policy drop-down menu and select Certificates > Certificate.

Under General Information, enter the required information, and for Management Type, select Provisioning or Enrollment.

Under CSR Handling, leave Service Generated CSR selected for CSR Generation, and leave Generate Key/CSR on Application set to No.

Under Subject DN, enter the required information.

Under Private Key, select the Key Algorithm to use and the desired Key Strength in bits.

Under Other Information, search for and select the previously configured CA Template.

Select [ Save ].

Select the newly generated certificate from the policy tree.

The Certificate Status should be OK.

Select [ Renew Now ].

The Certificate Status changes to Queued for renewal.

After a moment, select [ Refresh ] to show the certificate details in the window.

If you selected Provisioning as the Management Type, associate the certificate with the intended application object.

Configure code signing

CyberArk CodeSign Protect can store private code signing keys in the CryptoHub. This section describes the basic steps to configure this functionality for the integration. See Venafi documentation for more details.

Certificate Authority (CA) template objects are used in CyberArk Trust Protection Foundation to manage the certificate lifecycle. Creating one is a prerequisite to CodeSign. See Venafi documentation for more information.

To use an HSM for key storage, you must enable Key Storage on the HSM Connector.

Assign permissions

Perform the following steps to assign permissions to a Code Signing administrator:

Open the CyberArk Configuration Console application.

Select the System Roles node.

Select [ Add CodeSign Protect Administrator ] in the Actions panel.

Select a user to grant CodeSign Protect Administrator permissions.

Create a Code Signing flow

Perform the following steps to create a Code Signing flow:

Open the CyberArk Configuration Console application.

Under the Code Signing node, select Custom Flows.

Select Add new Code Signing Flow in the Actions panel.

Enter a name for the Code Signing Flow.

Select the newly created Code Signing Flow and add an approver through the Actions panel.

Create an environment template

Perform the following steps to create an environment template for the Code Signing Project:

Open the CyberArk Configuration Console application.

Under the Code Signing node, select Environment Templates.

Select Certificate in the Actions panel under Add Single Template.

Enter a name for the Code Signing Environment Template and select [ Create ].

In the Settings tab of the Properties window, enter a Description and select a Certificate Container and Signing Flow.

Go to the Certificate Authority tab and select a CA Template, and select [ Add ].

Go to the Keys tab and select which key sizes to enable for RSA and Elliptic Curve keys.

Open the Key Storage tab and select the Futurex HSM Connector, and select [ Add ].

Enter any optional information in the remaining tabs, and select [ OK ].

Create a Code Signing Project

Perform the following steps to create a new Code Signing Project:

Select Projects in the main menu at the top of the page.

Select [ Create Project ].

Enter a Project Name and Description.

Select [ Create ].

Create an environment

Perform the following steps to create an environment for the project with a new HSM private key and certificate:

Inside the newly created Code Signing Project, go to the Environments tab and select Add Environment > Certificate & Key.

Enter the Environment Name.

Select the Environment Template you created for this Code Signing project.

For Creation Type, select Create New.

The Key Storage Location should now list the Futurex HSM Connector.

Enter any other necessary information for the certificate.

Select [ Save ].

Select [ Submit For Approval ] to generate a new certificate and private key once it is approved.

Approve the Project

Perform the following steps to approve the Project:

Select Approvals in the main menu at the top of the page.

Under Pending Approvals, select the Project Creation request you just submitted.

Select [ Approve ].

Go back to the project, and in the Environments tab, you should see a Certificate & Key in Hardware (such as the CryptoHub).

Documentation Index

​Create a connector and generate a key

​Enable CyberArk Advanced Key Protect

​Generate HSM Private Key

​Configure the Venafi platform policy

​Generate the certificate

​Configure code signing

​Assign permissions

​Create a Code Signing flow

​Create an environment template

​Create a Code Signing Project

​Create an environment

​Approve the Project

Create a connector and generate a key

Enable CyberArk Advanced Key Protect

Generate HSM Private Key

Configure the Venafi platform policy

Generate the certificate

Configure code signing

Assign permissions

Create a Code Signing flow

Create an environment template

Create a Code Signing Project

Create an environment

Approve the Project