Skip to main content
Skip table of contents

How to Configure Database Protection using HMAC

The following describes how to set up database protection using the HMAC algorithm for integrity protection.

  1. Generate a private key and a certificate.

    openssl ecparam -genkey -name prime256v1 -noout -out key.pem
    openssl req -new -x509 -key key.pem -out certificate.pem -days 7300 -subj "/CN=Database Protection"
  2. Put the private key and the certificate in a PKCS#12 file. OpenSSL will ask you for a password that will be used to encrypt the keystore. Make a note of this password, as you will need it later.

    openssl pkcs12 -export -inkey key.pem -in certificate.pem -out bag.p12 -name dbProtect
  3. Print the base64 encoded PKCS#12 file.

    cat bag.p12 | base64 | tr -d '\012'
  4. Put the following configuration in


    databaseprotection.keyid.1 = 234
    databaseprotection.keylabel.1 = dbProtect
    databaseprotection.classname.1 = org.cesecore.keys.token.SoftCryptoToken = <the base64 encoded bag.p12 goes here>
    databaseprotection.tokenpin.1 = <the password for bag.p12>
    databaseprotection.version.1 = 1
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.