Using HSMs
The EU policy requires using an HSM to protect the CAs signature keys. Depending on the algorithms chosen, you have different options and difficulties. See Hardware Security Modules (HSM) for details.
The following additional key properties are available (filled in the CAs token properties) when using an HSM controlling the use of the previous keys:
Property | Description |
---|---|
previousCertSignKey | Alias of the previous signature key, as opposed to certSignKey which is the current signature key. |
previousSequence | Sequence identifying the previous signature key, as opposed to the current sequence that is held in the CA token. This sequence will replace the current sequence in the caRef field when signing a request with the CAs previous key. |
nextCertSigningKey | Alias of a newly generated key on the HSM. When updating a CA signed by an external CA this is used to send a request, but the CA is still active using the old key. When the certificate response is received, this key is activated and moved to certSignKey/crlSignKey. |
nextSequence | The sequence identifying the next signature key. |
Generating Keys
The EJBCA Client Toolbox tool (ejbcaClientToolBox.sh PKCS11HSMKeyTool
) can be used for generating keys on an HSM.
cd dist/clientToolBox
./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /etc/utimaco/libcs2_pkcs11.so secp256r1 signKey 1
For more information on generating keys, see information on supported curves, refer to the documentation for your HSM. For example, for Utimaco documentation is found in chapter 8 of the CS_AdminGuide.pdf. Note that the Java PKCS#11 provider may not support all curves that your HSM supports.
To generate EC keys using the ejbcaClientToolBox.sh tool, a patch for JDK is needed due to a bug in JDK (see below).
Note that generation command may differ for different HSMs, see Hardware Security Modules (HSM). For example, use the following on the Thales ProtectServer Gold:
./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /slot1.cfg secp256r1 signKey
Generating Keys using HSM Tools
Depending on your HSM, you may generate keys and the needed self signed certificate associated with it using HSM tools. For example for the Thales ProtectServer, see the HSM documentation in Hardware Security Modules (HSM).
Using EC Keys
For information on using HSMs and ECDSA, see Using ECDSA with an HSM.