AWS cloudhsm documentation change
Summary
Added certificate selection instructions and configuration guidance for cluster activation
Security assessment
Clarifies proper security configuration for CloudHSM certificate handling but doesn't address a specific vulnerability. Improves security documentation by specifying correct certificate usage.
Diff
diff --git a/cloudhsm/latest/userguide/activate-cluster.md b/cloudhsm/latest/userguide/activate-cluster.md index 012abae42..ade73c9a2 100644 --- a//cloudhsm/latest/userguide/activate-cluster.md +++ b//cloudhsm/latest/userguide/activate-cluster.md @@ -11 +11,10 @@ When you activate an AWS CloudHSM cluster, the cluster's state changes from init -Before you can activate the cluster, you must first copy the issuing certificate to the default location for the platform on each EC2 instance that connects to the cluster (you create the issuing certificate when you initialize the cluster). +Before you can activate the cluster, you must first copy the issuing certificate to the default location for the platform on each EC2 instance that connects to the cluster (you create the issuing certificate when you initialize the cluster). Use the appropriate certificate file based on the approach you chose during cluster initialization: + + * **If you chose Option A (single self-signed certificate):** Copy `customerRootCA.crt` + + * **If you chose Option B (certificate chain):** Copy `chainCA.crt` + + + + +**Linux location:** @@ -13 +21,0 @@ Before you can activate the cluster, you must first copy the issuing certificate -Linux @@ -14,0 +23 @@ Linux + /opt/cloudhsm/etc/<customerRootCA.crt OR chainCA.crt> @@ -16 +25 @@ Linux - /opt/cloudhsm/etc/customerCA.crt +**Windows location:** @@ -18 +26,0 @@ Linux -Windows @@ -19,0 +28 @@ Windows + C:\ProgramData\Amazon\CloudHSM\<customerRootCA.crt OR chainCA.crt> @@ -21 +30 @@ Windows - C:\ProgramData\Amazon\CloudHSM\customerCA.crt +After copying the certificate file, edit the `/opt/cloudhsm/etc/cloudhsm-cli.cfg` file to ensure the certificate file name matches the name of the CA certificate you copied.