Skip to main content
Skip table of contents

Migrating Verizon using nShield HSM to EJBCA

.Migrating a Verizon CA to EJBCA follows the same procedure for importing CAs, Certificates and CRLs as other CAs. For example as described in Migrating Microsoft CA to EJBCA.

When the Verizon CA keys are on a nShield HSM, a process to generate certificates for the keys is needed, this is the same process as described in Migrating RSA Keon CA with nCipher, except that you don't have to retarget keys as Verizon uses PKCS#11.


For P11NG (EJBCA Enterprise) you can use the p11ng-cli to list and test keys on the HSM, and see their attributes.

Listing keys generated by a Verizon CA using p11ng-cli may look like:

java -Dlog4j1.compatibility=true -jar p11ng-cli.jar listobjects --lib-file "C:\Program Files\nCipher\nfast\bin\cknfast.dll" --slot-ref SLOT_LABEL --slot "Test Root CA OCS"
Enter slot login password:

Private Key Objects: [1165]
Object 1165
   CKA_ID:    0xcc12965a33f58e393d86f119a965d126141c98b3 "?↕?Z3??9=??↓?e?&¶∟??"
   CKA_LABEL:    0x4465204c612052756520536f6c7574696f6e73205465737420526f6f74204341202d2043532c2043524c532028313029 "Test Root CA"

Public Key Objects: [1118]
Object 1118
   CKA_ID:    0xcc12965a33f58e393d86f119a965d126141c98b3 "?↕?Z3??9=??↓?e?&¶∟??"
   CKA_LABEL:    -

Certificate Objects: [1144]
Object 1144
   CKA_ID:    0x404ed945182e2354dd00d888662527e92fef6a1f "@N?E↑.#T? ?f%'?/?j▼"
   CKA_LABEL:    -
   CKA_SUBJECT:     "CN=Test Root CA, C=SE"
   CKA_ISSUER:     "CN=Test Root CA, C=SE"

Secret Objects: []

The issue (as of EJBCA 8.2.0) is that EJBCA is unable to match the private and public keys, and using the private key label as there is no label on the public key. In order for EJBCA to use the keys you need to generate a certificate, which is easily done with ckcerttool. In order to use the ckcerttool command you need to find the NFKM key Ident (see the RSA Keon page for more details on this). You can find this by using the nCipher GUI KeySafe.

Once you have the key Ident, you can import a certificate, use the CA certificate that you have, with a simple command, for example:

ckcerttool.exe -c "Test Root CA OCS" -f rootca.pem -k <NFKM key ident> -L "Test Root CA"

This will import the rootca.pem certificate and make all needed CKA_ID binding with the label you specify.

CAs Certificates and CRLs

Follow the guide for migrating a Microsoft ADCS to import CAs, Certificates and CRLs

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.