We are migrating from Thales 8000 to Thales Payshield 9000. We generated an RSA Key Pair in 8000 (with EI
- Generate a Public/Private Key Pair command). We stored the public key on the host and loaded the private key to the HSM's tamper-protected memory (with EK
- Load a Private Key command).
The problem is we didn't keep the private key and we don't want to create a new key pair because we have to start a new certification process with the vendor if we do this. Is there a solution like storing this key on a smartcard and moving to the new version like LMK.
I read the Thales console - command reference and programmers manual but wasn't able to find a solution.
The private key that is returned from a Thales HSM keypair generation command (this is command EI on the Payshield 9000 that I have access to) is encrypted under LMK keypair 34-35. You will never see this in the clear i.e unencrypted form.
The only way you could extract this from the HSM would be if you knew that LMK keypair; you could then use this to decrypt it. This is often possible in a test environment where a set of known test LMK keypairs are sometimes used. In a production environment, however, doing this would obviously compromise the security of the entire HSM and any system dependent upon it.
In your situation, you really have little option but to generate a new keypair and then store the encrypted private key bytes.
The problem, however, with only ever having the private key encrypted under this LMK key pair is that you need to use the HSM to sign a CSR, instead of an established tool like openssl.
I did this by using the EI command (generate an RSA keypair) to generate a keypair, storing the raw encrypted private key bytes returned in a file, constructing an unsigned CSR structure, sending that to the HSM with the private key bytes under command EW (Generate a signature), and then appending the signature to my CSR structure.