Appendix: Configuring Vault to use a key that was manually generated on the HSM
To demonstrate this process, we use Futurex Command Line Interface (FXCLI) to generate a new key on the Vectera Plus and assign it a PKCS11 label which Vault can reference when creating a new managed key.
Run the FXCLI application.
Configure TLS certificates for communication between FXCLI and the HSM using the tls set of commands.
Run tls help to access syntax documentation.
Connect to the HSM using the following command:
Log in to the HSM with the default "Admin1" and "Admin2" identities by running the following command twice (each time it will prompt for username and password):
Create a new key pair in the next available key slot on the HSM:
Confirm which key slot the private key was added to:
Assign a PKCS11 label to the key (Vault needs this external data field to be set so that it can find the key):
The number that you specify in the slot flag needs to match the slot number of the private key determined in the previous step. The PKCS11 label value should match the name set for the key pair in the generate command.
Create a Managed Key in Vault by referencing the PKCS11 label of the key that was manually generated on the Vectera Plus using FXCLI
The Vault command used to create a managed key from a manually generated key on the HSM is almost identical to the command that we used to dynamically generate a key on the HSM in the Testing PKI Operations section.
Manually generate an 2048 bit RSA key in Vault with the key label "VaultManualKey".
In the key_label field, we're specifying the PKCS11 label that we assigned to the key using the keytable extdata FXCLI command in the previous section. The main difference you should note in the above command is that we set allow_generate_key to false to tell Vault not to attempt to generate a key on the HSM if it cannot find the key we're referencing.
Verify that the key configuration has been written to Vault.
Verify that the key configuration is valid by test signing some data.