EJBCA Cloud AWS CloudHSM Integration Guide

This guide shows how to integrate the EJBCA Cloud with AWS CloudHSM.

The AWS CloudHSM is the newer offering from AWS based on Marvell, not to be confused with the SafeNet-based AWS CloudHSM Classic. For more information, refer to the AWS CloudHSM User Guide.

This EJBCA Cloud and AWS CloudHSM integration guide includes the topics listed below.

If you already have a CloudHSM cluster configured, proceed to step 4 - Assigning the Security Group to the EJBCA Instance and then 5b - Configure the cloudhsm-client - SDK3. This will get the EJBCA Cloud instance configured to talk to the CloudHSM cluster so that key creation can begin.

It is necessary to configure the CloudHSM cluster creation and initialization on an EC2 instance that is not an EJBCA instance. The CloudHSM configuration needs sudo access to be completed. Sudo access is not granted to EJBCA instances until after the Wizard setup is complete. Once CloudHSM initialization is completed on another EC2 instance, bring the credentials to EJBCA Cloud configuration wizard and complete EJBCA setup and integration with CloudHSM. For more information, please see the EJBCA Cloud AWS Launch Guide.

Note that users of EJBCA Cloud before 2.6 and EJBCA 7.5.0 need to convert their public keys that were previously stored on the local disk of the EJBCA host and import them into CloudHSM, see CloudHSM Liquidsec Key Conversion.

AWS Documentation

AWS CloudHSM Documentation

AWS CloudHSM User Guide