Skip to main content
Skip table of contents

5a - Configure the cloudhsm-client - SDK5

This guide assumes that the CloudHSM client is pre-installed on an EJBCA or SignServer Cloud instance.  If the cloudHSM client is not yet installed, refer to Appendix D - Installing the CloudHSM Client.  It also assumes that any old Liquidsec keys have been converted to the newer P11NG format as outlined in the Appendix.


To configure the CloudHSM client cloudhsm-client, do the following:

  1. SSH into the EJBCA instance.

  2. Copy your issuing certificate (the one that you used to sign the cluster's certificate) to the following location on the client instance: 

    CODE 
    /opt/cloudhsm/etc/customerCA.crt

    (warning) You need root permissions on the client instance to copy your certificate to this location. If you used your EJBCA instance to generate this file it is located in /home/ec2-user and you may also move or copy it to this location.

  3. Update the cloudhsm client configuration

    CODE 
    # vim /opt/cloudhsm/etc/cloudhsm-cli.cfg
# Edit the line that has "%%HSM_IP_ADDRESS%%" and change this value to your HSM IP address.

  4. Use the following command to update the configuration files for the AWS CloudHSM client and command line tools, specifying the IP address of the HSM in your cluster.
    If you don't know the HSM's IP address, view your cluster in the AWS CloudHSM console

    CODE 
    /opt/cloudhsm/bin/configure-pkcs11 --hsm-ca-cert /opt/cloudhsm/etc/customerCA.crt -a "HSM_IP_ADDRESS"

  5. If you have only one HSM in the cluster, run this additional command or EJBCA will not be able to use the keys on the hSM

    BASH 
    # /opt/cloudhsm/bin/configure-pkcs11 --disable-key-availability-check
# /opt/cloudhsm/bin/configure-cli --disable-key-availability-check
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close