.png){kind=logo}
Crypto Tokens: HSMs & Keystores
Crypto Tokens provide access to the keys and cryptography operations.
The functions of a CryptoToken include:
Key storage and protection
Authenticated key access
Login/logout handling
Algorithm support
Overview
A Crypto Token can use:
HSMs (PKCS#11 using Keyfactor P11NG interface)
SoftHSM
REST-based HSMs (Fortanix, Azure, and so on)
Keystore files (PKCS#12, JKS) can be used for testing but are not recommended for production use.
A Crypto Token using a software keystore is the KeyStoreCryptoToken and one using a Hardware Security Module (HSM) is the PKCS11CryptoToken.
Crypto Token Architecture
The following diagram shows how the Crypto Token is used:
Using Crypto Tokens
A worker can either reference a Crypto Worker with a Crypto Token configured or reference another worker with a Crypto Token.
A worker can contain a Crypto Token as a component by defining which Crypto Token implementation to use with the CRYPTOTOKEN_IMPLEMENTATION_CLASS property and then add any other properties needed by that implementation.
Each Signer is typically configured with a reference to a Crypto Worker having a Crypto Token configured.
Crypto Workers Hosting Crypto Tokens
Unlike other workers, the Crypto Worker is a worker not performing any operations on its own and instead only hosts a Crypto Token that can be referenced by other workers.
Fully-qualified class name: org.signserver.server.signers.CryptoWorker.
Use the CRYPTOTOKEN_IMPLEMENTATION_CLASS property to define the Crypto Token implementation, such as the KeystoreCryptoToken in this example:
CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.KeystoreCryptoTokenFor setup information, see Set Up a Crypto Worker.
Using the Crypto Worker of Another Worker
A worker can reference a Crypto Worker configured on another worker by specifying the Crypto Worker name in a CRYPTOTOKEN property:
CRYPTOTOKEN=SoftCryptoToken