The CA/Browser Forum’s EV Code Signing Guidelines stipulate that Certificate Authorities must protect private keys in FIPS 140-2 certified cryptographic modules, such as a HSM. In addition, section 16 parts 3a and 4b specify that there must be a mechanism for validating that a private key is indeed protected by a HSM. The process for accomplishing this is typically known as Public Key Confirmation (PKC) and can be accomplished using standard tools provided with both the Luna HSM and the DPoD Luna Cloud HSM.
A Luna (Cloud) HSM will issue confirmations only for private keys that were created by the HSM and that can never exist outside of the HSM. A valid confirmation is cryptographic proof that a specific key is inside the identified HSM. The confirmation is also proof that that the identified HSM is authentic.

A Luna PKC bundle contains the following certificates (in a PKCS#7 certificate chain):

• MIC: Manufacturing Integrity Certificate; corresponds to the Manufacturing Integrity Private Key (MIK), signed by the Thales Root.
• HOC: Hardware Origin Certificate; corresponds to the Hardware Origin Private Key (HOK). Unique to each HSM. Signed by the MIK.
• DAC: Device Authentication Certificate; this corresponds to the Device Authentication Private Key (DAK). Unique to each HSM. Signed by the HOK.
• PKC: Public Key Confirmation Certificate; certificate for a private key on the HSM. Signed by the DAK.

The standard Luna cmu tool, can be used to create a PKC bundle and in turn verify that an RSA key is protected and has always been protected by a Luna HSM.
Example of a CMU command to fetch the PKC bundle :

cmu getpkc –handle=5 –pkctype=1

Complete syntax can be found at utilities reference guide in the Luna HSM documentation or the Luna Cloud HSM documentation.

If you would like a 30 day free trial of DPoD Luna Cloud HSM, please click here.