I'm looking to use CloudHSM for an intermediate CA. To that end, I need to generate a keypair and sign it with the root (offline HSM) CA. We're using ECDSA.
However, when I generate a CSR from an ECC keypair, it fails verification. Here's what I'm doing:
genECCKeyPair -i 2 -l intermediate-ca -nex
getCaviumPrivKey -k 42 -out intermediate-ca.key
openssl req -engine cloudhsm -new -key intermediate-ca.key -out intermediate-ca.csr -subj "/CN=Intermediate CA"
openssl req -in intermediate-ca.csr -verify -noout
This reports:
verify failure
139822323439520:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:249:
If I attempt to sign the CSR, openssl reports Signature did not match the certificate request
If I do the same steps with an RSA key, everything's fine.
What am I doing wrong?
The OpenSSL engine for CloudHSM doesn't support ECC keys.
This is stated implicitly by https://docs.aws.amazon.com/cloudhsm/latest/userguide/openssl-library.html (it's not in the list).
What confused me is that https://docs.aws.amazon.com/cloudhsm/latest/userguide/ki-openssl-sdk.html#ki-openssl-4 implies that it is supported.
It's not. Use one of the other client libraries (JCE, PKCS#11, KSP or CNG).
(I confirmed this with AWS support)