Configuring the Luna On-Premise HSM Before Starting the Document Engine Service Container

Support for on-premises deployments, including those using Containers, ended on December 31, 2023.

For more information, please see our OneSpan Product Life Cycle page, and consult the OneSpan End of Life policy.

For any additional questions contact your Customer Service Representative.

_____________________________________________________________________________________

If you do not have your CSR file ready to submit to your Certificate Provider for the purpose of receiving a Signer Certificate and you wish to use your Luna client installation to generate it, then you must first use the following procedure.

Generating a CSR using your Luna client

1. Obtain your universal client Luna client tar file from Luna.
2. Untar it into a Luna client installation folder on a Centos7 machine.
3. Run the install script from the installation folder's LunaClient_<version>_Linux/64 subfolder that was created by untarring the tar file.
4. Select an installation folder, then choose Luna Network HSM, followed by Luna SDK" in the next page, and then exit.
5. Confirm your installation is now in the following location: <desired installation folder>/safenet/lunaclient.
6. From bin/64 subfolder (cmu.exe for Windows) run ./cmu generatekeypair -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -labelPublic="public.key" -labelPrivate="private.key"
7. From bin/64 subfolder, run ./cmu list. Note the public and private handle IDs on your hsm.
8. From bin/64 subfolder, run the following command:

 ./cmu requestCert -sha256withrsa -publichandle=<public key handle id> -privatehandle=<private key handle id> -C="your country" -S="your state or province" -L="your city" -O="your company" -OU="RD" -CN="<desired certname>" -outputFile=<desired certname>.csr

9. Obtain the tool sautil from Luna or OneSpan and run the following command. This is only required if you wish to generate your own private key handle file from your HSM:

./sautil -o -a 0:RSA -f privatekeyhandle.pem -s <slotid> -v -q <partition password>.

10. Save the file privatekeyhandle.pem. You will need to upload it from the admin console. This is only required if you wish to generate your own private key handle file from your HSM.
11. Provide the CSR file <desire certname>.csr to your Certificate Authority certificate provider and they will provide you with your purchased signer certificate with its trusted chain files (for example, the trusted certificate and intermediate certificates).