In my country the "DIRECCIÓN NACIONAL DE FIRMA DIGITAL" has a HSM to generate a public and private key to any requester. They are the CA.
It is possible for a requester to build a CSR file (using OpenSSL for example) on his device and submit it to this CA to be proccessed despite they are using a HSM?
I don't want to let them generate and sent to me my private key as they are doing rigth now! (supposedly they don't see it...supposedly...)
I tried to search in the documentation of one HSM (Luna HSM) how to do that, buy I didn't found anything.
Thanks in advance.
I find it odd that the CA claims to generate your private key for you, then export it as a file. It defeats the purpose of having a HSM in the 1st place, which is to secure the private key.
Regardless, you can generate your own key and send a PKCS#10 to them. Your key could be held in a software cryptographic module, such as a file on disk, or Windows DPAPI; or it could be held in your own hardware cryptographic module, such as another HSM, or a cheaper alternative, such as a smartcard or YubiKey.
A CA usually uses a HSM as a hardware cryptographic module for their CA application software. You (or the registration authority) would interact with this software, not directly with the HSM. However, it is possible to sign a PKCS#10 using a Luna HSM with their cmu utility.
Bear in mind that the primary task of a CA is to build and retain credence in their ability to certify the subject of a certificate. A certificate from a trustworthy CA can be relied upon to assert the holder is who/what the claim to be. Technology only plays a small part in this trust building. Most of the trust is gained by having tight controls over the operation of the CA service, which includes strict identity checks, record keeping, auditing etc. Plumbing a HSM in and using that directly seems to miss the mark in my humble opinion. I would be asking myself whether this really is a trustworthy service is it uses a HSM directly to sign, and also offers to generate your keys for you!