SoftHSM

The HSM type described on this page is not officially supported by EJBCA even though it may be successfully integrated with EJBCA.

For a list of HSMs supported by the different EJBCA deployment types, see Interoperability and Certifications.

SoftHSM2 works very well with EJBCA, and after initializing a slot you can use it by creating a new Crypto Token in the Admin GUI.

The user PIN is what you will use to activate the token in EJBCA.

sudo apt-get install softhsm2

To be able to create tokens as a normal user, make /var/lib/softhsm/tokens readable and writable by adding yourself to the ods group. Make sure that the user running the application server belongs to this group as well.

The group might be called softhsm instead of ods. You can check with ls -ld /etc/softhsm . If so, please adjust the commands.

sudo usermod -aG ods "$USER"
sudo usermod -aG ods wildfly

After setting privileges, you can use softhsm as normal user.

softhsm2-util --init-token --free --label slot1

you can now initialize additional slots.

Note that if you provide the --slot parameter to SoftHSM2 it will most likely not become the slot number you specify.

To list the slots, use the following command:

softhsm2-util --show-slots

To list all keys (usable by EJBCA) on a slot you can use a clientToolBox command:

./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/softhsm/libsofthsm2.so TOKEN_LABEL:slot1

To list all PKCS#11 objects on a slot you can use a command like pkcs11-tool:

pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --token-label slot1 --pin foo123 -O