The first step is creating an HSM partition, which can be thought of as an independent logical HSM within your Azure Dedicated HSM device.
Next, the partition needs to be assigned to the client, in this case your key server.
After the partition has been assigned, run lunacm from your virtual server and initialize the partition.
2. Generate a RSA key pair and certificate signing request (CSR)
Before running the commands below, check with your information security and/or cryptography team to confirm the approved key creation procedures for your organization.
Using the key created in the previous step, generate a CSR that can be sent to a publicly trusted Certificate Authority (CA) for signing.
3. Obtain and upload a signed certificate from your Certificate Authority (CA)
Provide the CSR created in the previous step to your organization’s preferred CA, demonstrate control of your domain as requested, and then download the signed SSL certificates. Follow the instructions provided in Uploading “Keyless” SSL Certificates.
4. Modify your gokeyless config file and restart the service
Lastly, we need to modify the configuration file that the key server will read on startup. Be sure to change the object=mykey and pin-value=username:password values to match the key label you provided and CU user you created.
Open /etc/keyless/gokeyless.yaml and immediately after:
add:
With the config file saved, restart gokeyless and verify it started successfully.