Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Next »

The Key Encryption Key (KEK) is used by the Key Archiving and Recovery (KAR) factory in order to encrypt and decrypt archived keys. 

This task is performed during system key administration in Nexus Certificate Manager. For information regarding when to do this task, see Decide what action to take.

Prerequisites

 Prerequisites
  • CM Officer privileges are required.
  • Officer must have access privileges to the KEK token procedure.
  • To issue certificate for PKCS#10 request, see heading "Create a token procedure with storage profile PKCS#10" in Bootstrap Certificate Manager

Step-by-step instruction

 Generate KEK token

An old KEK token must be kept as long as there are archived keys encrypted with it.

Create the KEK token

Use the command-line program hwsetup to create a KEK token. Read more about hwsetup here: Initialize Hardware Security Module for use in Certificate Manager.

  1. Run hwsetup to generate a key pair, see Generate DSA/EC/RSA key pair.
  2. Run hwsetup to create a PKCS #10 request based on the generated key pair, see Generate PKCS #10 certificate request.
  3. Use Registration Authority (RA) and select the token procedure with storage profile PKCS#10 to import the PKCS#10 request file. Save the issued certificate to file, see Issue certificates from request files.
  4. Run hwsetup to store the certificate in HSM, see Install certificate.

Configure the KEK token

The KEK token must be configured in the CF service (or in all computers running CF in case of a distributed configuration).

  1. In kar.conf:
    1. Add the crypto library to the list of crypto libraries (in the parameter kar.common.cryptolib.<#>.name).
    2. Add the new KEK to the list of tokens: kar.common.token.<#>.tokenlabel and kar.common.token.<#>.pin.
    3. Set the new KEK as the key to use for key archiving, that is, change the value for kar.archive.kek.0.tokenlabel and kar.archive.kek.0.keylabel.
  2. Restart the system in order to make the changes take effect.

The value of kar.archive.kek.0.keylabel must be the label of the key. In case of an RSA key pair, it should be the label of the public key. To see the key label, use the command hwsetup -list.

Related information

  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions