Test the integration

Initialize Entrust Authority Security Manager

If you did not initialize the Security Manager at the end of the configuration process:

  1. Open a Windows command terminal.

  2. Initialize the Security Manager:

    % cd C:/Program Files/Entrust/Security Manager/bin
    % entsh.exe -e "source \"C:/Program Files/Entrust/Security Manager/bin/FirstTimeInit.tcl\""

Launch the Entrust Authority Security Manager Shell

To launch the Entrust Authority Security Manager Shell:

  1. Open a Windows command terminal.

  2. Open an Entrust Shell:

    % cd C:/Program Files/Entrust/Security Manager/bin
    % entsh.exe

Further commands during testing are executed inside the Entrust Shell.

Verify the in-memory CA key cache

To verify the in-memory CA key cache:

  1. In the Entrust Shell:

    entsh$ ca key show-cache
    
    **** In Memory CA cache ****
    Record Status Legend:
      C = current key
      H = key on hold
      A = non-current key
      X = revoked or expired non-current key has been obsoleted
      HWV1 = hardware key PKCS11 V1 *** NOT SUPPORTED ***
      HWV2 = hardware key PKCS11 V2
      SW = software key
    
    ----------------------------------------------------
    
    Internal key index:           1XXXXXXXX89A0
    current CA certificate:       Y
    CA certificate issue date:    Thu Feb 11 20:02:26 2021
    CA certificate expire date:   Tue Feb 11 20:32:26 2031
    subject key identifier:       0010852416D0F74AF66F7F23F726CA0321C6888B
    private key active:           Y
    private key expired:          N
    certificate expired:          N
    certificate revoked:          N
    revocation details:           N/A
    key:                          RSA-2048
    global signing policy:        RSA-SHA256 (sha256WithRSAEncryption)
    record status in database:    C HWV2
    migrated:                     N
    hardware load error:          N
    hardware CKA_ID:              LH/7mxxxxxxxxxxxxxxxxM=
    hardware status: Loaded >> 'nCipher Corp. Ltd  SN : b0xxxxxxxxxxxxxxxxa19e SLOT : 761406613'.
    
    ----------------------------------------------------
    **** End of In Memory CA cache ****

Verify the hardware information

To verify the hardware information:

  1. In the Entrust Shell:

    entsh$ ca key show-cahw -type all
    
    You must log in to issue the command.
    Master User Name: Master1
    Password:
    
    EAC is not enabled. There is no associated cryptographic hardware for EAC.
    
    **** Hardware Information ****
    
    ----------------------------------------------------
    
    Name:
    nCipher Corp. Ltd  SN : b02xxxxxxxxxxxxxxxxx19e SLOT : 761406613
    
    Has current X.509 CA key: Y
    Load Status:              hardware loaded ok
    Uses Password:            Y
    DB protection HW:         N
    In use for X.509 CA keys: Y
    In use for EAC keys:      N
    ECDSA style:              1 (use raw digest)
    
    ----------------------------------------------------
    **** End of Hardware Information ****

Import the CA key pair from software to hardware

To import the CA key pair from software to the HSM (from software to hardware):

  1. In the Entrust Shell:

    entsh$ ca key update

    This prompts you to select the destination for the new CA key.

    Select the nCipher slot as the destination for the new CA key. For example:

    Select the destination for the new CA key.
    Choose one of:
    1. Software
    2. nCipher Corp. Ltd  SN : cfc17259ebffe335 SLOT : 761406613
    3. Cancel operation
    > 2
    Checking cluster status...
    
    The cluster will be stopped and the CA key updated.
    Do you wish to continue (y/n) ? [y]
    Stopping cluster...
    
    100% complete. Estimated time remaining -:-:- /
    
    CA key and certificate successfully updated.
    Recovering CA profile...
    Starting cluster...
    
    CA profile successfully recovered.
    
    It is recommended that all revocation lists be re-issued. This can be done later with the 'rl issue' command. Re-issue revocation
    lists now (y/n) ? [y] y
    
    Issuing CRLs, please wait ...
    
    1 CRL(s) were issued.
    1 ARL(s) were issued.
    1 combined CRL(s) were issued.
    
    Publishing CRLs, please wait ...

After you have moved the CA key to the HSM and have finished updating it, a message about the CA profile being successfully recovered appears.

Export the CA key pair from hardware to software

To export the Entrust CA key pair from the HSM to software (from hardware to software), use the Entrust Shell:

entsh$ ca key update
Select the destination for the new CA key.
Choose one of:
1. Software
2. nCipher Corp. Ltd  SN : cfc17259ebffe335 SLOT : 761406613
3. Cancel operation
> 1
Checking cluster status...

The cluster will be stopped and the CA key updated.
Do you wish to continue (y/n) ? [y] y
Stopping cluster...

100% complete. Estimated time remaining -:-:- -

CA key and certificate successfully updated.
Recovering CA profile...
Starting cluster...


CA profile successfully recovered.

It is recommended that all revocation lists be re-issued. This can be done later with the 'rl issue' command. Re-issue revocation
lists now (y/n) ? [y]

Issuing CRLs, please wait ...


1 CRL(s) were issued.
1 ARL(s) were issued.
1 combined CRL(s) were issued.

After you have finished updating the CA key, its export to software is complete.

Back up Security World files

To back up Security World files:

  1. Back up the C:\ProgramData\nCipher\Key Management Data\local directory.

    Such a backup of Security World files must be performed after any new key generation or Security World administration activities.

  2. Store the backup files according to your organization’s disaster recovery instructions.