Enterprise
The P11NG Crypto Token uses PKCS#11 for communication with the HSM through the Keyfactor P11NG provider, in place of the Java SunPKCS11 provider used by the standard PKCS#11 Crypto Token. P11NG is the recommended token type for production HSM deployments and is required for features such as key wrapping and composite certificates.
Fully qualified class name: org.signserver.p11ng.common.cryptotoken.P11NGCryptoToken
Overview
As of SignServer 6.0, JackNJI11CryptoToken has been renamed P11NGCryptoToken.
To download a sample configuration file for this Worker, see Sample Worker Configurations.
Key Aliases and Certificate Objects on the HSM
Key aliases in SignServer map to the CKA_LABEL attribute on the PKCS#11 certificate object stored on the HSM. Private keys are matched to certificate objects through a shared CKA_ID value. For a full explanation of this mechanism, including certificate placement options, caching behavior, externally generated keys, and certificate import, see Crypto Tokens: HSMs & Keystores | Key Aliases, Certificates, and PKCS#11 Objects.
Available Properties
|
Required Property |
Description |
|---|---|
|
|
The name of pre-defined PKCS#11 library to use. Available libraries are configured in |
|
|
Specifies how the slot is identified. Supported values: |
|
|
Specifies which slot to use, according to the type set in
|
|
Optional Property |
Description |
|
|
Specifies a PKCS#11 attribute to use when generating a key. - Examples:
|
|
|
The key alias used to verify that the Crypto Token is active. See Crypto Tokens: HSMs & Keystores | Key Aliases, Certificates, and PKCS#11 Objects for how this alias maps to objects on the HSM. Since SignServer 7.4.0, the
|
|
|
(Optional) If Be careful when also setting |
|
|
Specifies the authentication code used for activation. Only required for auto-activation. Manual activation can be performed without it. |
|
|
If |
|
|
(Optional) If Default: |
Secret Key Generation
If generating a secret key through the P11NGCryptoToken, the algorithm name can be specified in any of the following ways. See also Crypto Token Generate Key Page.
Standard Java Name
Example: AES or DES. If the algorithm name is not in the predefined list of known secret key algorithms, prefix it with SEC:, for example: SEC:Blowfish. The predefined list currently contains AES and DES.
CKM Long value
Example: SEC:4224. Here 4224 represents the long value for the AES_KEY_GEN as defined in the PKCS#11 specification. SEC: is used as prefix.
CKM Hexadecimal value
Example: SEC:0x00001080, where 0x00001080 is the hexadecimal representation of AES_KEY_GEN. SEC: is used as prefix.
Composite Certificates
The P11NGCryptoToken can be used to create a composite key. For more information, see SignServer Composite Certificates.
HSM-Specific Notes
AWS CloudHSM
AWS CloudHSM does not support PKCS#11 certificate objects on the token. Set GENERATE_CERTIFICATE_OBJECT=false on the Worker or Crypto Token to prevent SignServer from attempting to create one.
For keys generated outside SignServer (for example, in the AWS console or via the AWS CLI), the CKA_ID attribute must be set on both the public and private key objects before SignServer can use them. See Crypto Tokens: HSMs & Keystores | Key Aliases, Certificates, and PKCS#11 Objects for an explanation of why CKA_ID matters.
To set CKA_ID using the cloudhsm-cli tool from AWS:
-
Install and configure cloudhsm-cli following the AWS instructions.
-
Determine the
idattribute to use. SignServer expects the public and private keysidto be a hex encoding of the UTF-8 encoded key name. For example, the key namesample-keyencodes to0x73616d706c652d6b6579. You can generate this with theodutility:echo "sample-key" -n | od -t x1 -A n | tr -d ' 'Or with Python:
python -c "print('sample-key'.encode('utf8').hex())" -
Start cloudhsm-cli:
cloud-hsm interactive -
Log in as a crypto user:
aws-cloudhsm > login --username USERNAME --role crypto-user. -
List keys to find the
key-referencevalues for the key pair you want to update:key list -
Set the
idattribute in the private key:key set-attribute --key-reference 0x0000000000000001 --name id --value 0x73616d706c652d6b6579 -
Set the same
idattribute on the public key:key set-attribute --key-reference 0x0000000000000002 --name id --value 0x73616d706c652d6b6579
Key Creation Date for PGP Signing
Since AWS CloudHSM cannot store PKCS#11 certificate objects, PGP signing and CSR generation cannot rely on certificate metadata from the HSM to determine the key creation date.
To solve this issue, configure the OpenPGP Signer with a fixed key creation date using the following property:
KEY_START_DATE.keyalias=YYYYMMDD
The configured date is used as the key creation date.
GCP KMS
-
The Google Cloud HSM does not support key generation, key wrapping, or import of certificate chains via SignServer.
-
Keys generated in the GCP console must use the algorithm type
*_RAW_PKCS1to work with any hash algorithm in SignServer. Alternatively, ensure the hash algorithm of the key matches the signature algorithm configured in the SignServer Worker. A mismatch produces an error similar to:ExceptionConverter: java.security.SignatureException: org.pkcs11.jacknji11.CKRException: 0x00000020: DATA_INVALID
Thales TCT
When generating an RSA key pair using the Thales TCT HSM, the ATTRIBUTE.PUBLIC.RSA.CKA_VERIFY attribute must be explicitly set to true (it is not enabled by default). Failure to do so will cause key generation to fail.
FIPS Mode
Some HSM vendors enforce stricter key constraints when operating in FIPS mode. For example, with Utimaco SecurityServer V4.10.0 and PSS padding, the following configuration is required:
-
When generating the key pair:
XMLATTRIBUTE.PRIVATE.RSA.CKA_ALLOWED_MECHANISMS=CKM_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS SELFSIGNED_SIGNATUREALGORITHM=SHA256withRSAandMGF1 -
For test signing to work after activation:
XMLSIGNATUREALGORITHM=SHA256withRSAandMGF1
For keys using PKCS#1 v1.5 padding, CKA_ALLOWED_MECHANISMS should contain only mechanisms such as CKM_RSA_PKCS and CKM_SHA256_RSA_PKCS, and the signature algorithm properties should use SHA256withRSA.
Known Limitations
-
Multiple CA certificates with the same subject DN cannot be stored in the same token slot.
-
PKCS#11 sessions are reused and never explicitly closed by this Crypto Token under normal conditions. Objects created as session objects (
CKA_TOKEN=false) are therefore not removed until the application server is shut down. In deployments that generate and delete many short-lived keys, this can eventually cause aCKR_DEVICE_MEMORYerror as session objects accumulate. To avoid this, upgrade to SignServer 5.8.2 or later and setCKA_TOKEN=truefor key objects so that they are correctly removed when a key is deleted. See theATTRIBUTE.x.y.zproperty above.