Appendix: Configuring Vault to use a key manually generated on the HSM
The following example uses FXCLI to generate a new key on the and assign it a PKCS11 label that Vault can reference when creating a new managed key.
Run the FXCLI application.
Configure TLS certificates for communication between FXCLI and the HSM by using the tls commands.
Run tls help to access syntax documentation.
Use the following command to connect to the HSM:
Log in to the HSM with the default Admin1 and Admin2 identities by running the following command twice, entering the username and password when prompted:
Create a new key pair in the next available key slot on the HSM:
Confirm which key slot the private key was added to:
Assign a PKCS11 label to the key (Vault needs this external data field to be set so that it can find the key):
The number that you specify in the slot flag needs to match the slot number of the private key determined in the previous step. The PKCS11 label value should match the name set for the key pair in the generate command.
This example creates a managed key in the Vault by referencing the PKCS11 label of the key that you manually generated on the by using FXCLI.
The Vault command used to create a managed key from a manually generated key on the HSM is almost identical to the command you used to dynamically generate a key on the HSM in the Testing PKI operations section.
Manually generate a 2048-bit RSA key in Vault with the key label, VaultManualKey:
In the key_label field, specify the PKCS11 label you assigned to the key by using the keytable extdata FXCLI command in the previous section. The main difference in the command in this step is it sets allow_generate_key to false to tell Vault not to attempt to generate a key on the HSM if it cannot find the referenced key.
Verify that the key configuration has been written to Vault.
Verify that the key configuration is valid by test signing some data.