Create and use keys in AWS CloudHSM

Before you can create and use keys in your new cluster, create a hardware security module (HSM) user with the AWS CloudHSM CLI For more information, see Understanding HSM User Management Tasks, Getting started with AWS CloudHSM Command Line Interface (CLI), and How to Manage HSM Users.

If using Client SDK 3, use CloudHSM Management Utility (CMU) instead of CloudHSM CLI.

After you create HSM users, you can sign in to the HSM and manage keys using any of these options:

Use key management utility, a command line tool
Build a C application using the PKCS #11 library
Build a Java application using the JCE provider
Use the OpenSSL Dynamic Engine directly from the command line
Use the OpenSSL Dynamic Engine for TLS offload with NGINX and Apache web servers
Use the Key Storage Provider (KSP) for AWS CloudHSM with Microsoft Windows Server Certificate Authority (CA)
Use the Key Storage Provider (KSP) for AWS CloudHSM with Microsoft Sign Tool
Use the Key Storage Provider (KSP) for TLS offload with Internet Information Server (IIS) web server

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Setup mTLS (recommended)

Best practices