The PKCS#11 Crypto Token allows using an HSM that has a PKCS#11 module, such as Utimaco, nCipher, SafeNet, or AEP KeyPer.
Fully qualified class name: org.signserver.server.cryptotokens.PKCS11CryptoToken
Overview
SignServer uses the same underlying implementation of PKCS#11 Crypto Tokens as EJBCA. Because token labels strings differ, it is important to use the SignServer-specific properties listed in this section. The EJBCA ClientToolbox tool can be used to generate and test PKCS#11 keys to confirm that the keys can be used with SignServer. For more information, refer to the EJBCA documentation on EJBCA Client Toolbox and Hardware Security Modules (HSM).
To download a sample configuration file for this Worker, see Sample Worker Configurations.
Key Aliases and Certificate Objects on the HSM
Key aliases in SignServer map to the CKA_LABEL attribute on the PKCS#11 certificate object stored on the HSM. Private keys are matched to certificate objects through a shared CKA_ID value. For a full explanation of this mechanism, including certificate placement options, caching behavior, externally generated keys, and certificate import, see Crypto Tokens: HSMs & Keystores | Key Aliases, Certificates, and PKCS#11 Objects.
Available Properties
|
Property |
Description |
|---|---|
|
|
(Optional) Specifies the PKCS#11 attributes used for key generation specified directly in the property value. Cannot be used together with Sample XML
The PKCS#11 attributes configuration is global per shared library. If specified in multiple Workers, only the configuration from the first Worker loaded will be used. Changing the property might not take effect without restarting the application server. For a Thales nCipher module-protected slot (slot index 0), |
|
|
(Optional) Path to file with PKCS#11 attributes used for key generation. Cannot be used together with From SignServer 7.6, the directory containing the |
|
|
If Default: Set this property on the Worker where the signing key is specified in |
|
|
The key alias used for test-signing when checking whether the Crypto Token is active. See Crypto Tokens: HSMs & Keystores | Key Aliases, Certificates, and PKCS#11 Objects for how this alias maps to objects on the HSM. If this key does not exist, the Crypto Token/Worker shows as The |
|
|
(Optional) Holds the alias of the next key to use for signing. A certificate signing request (CSR) can be generated for this key while the current key ( |
|
|
The authentication code used for activation. Only required for auto-activation. Manual activation can be performed using the |
|
|
Deprecated Specifies the full path to the PKCS#11 library. Use |
|
|
The name of the pre-defined PKCS#11 library to use. Available libraries are configured in |
|
|
Legacy properties for identifying the HSM slot. Available for backwards compatibility only. Use |
|
|
Specifies how the slot should be identified. Supported values are |
|
|
Specifies the slot to use, according to the type set in
Required. Cannot be used if the legacy |
Default Global Worker Properties
Certain Worker properties can instead be specified as default values in the global configuration, to avoid having to repeat the properties in every Worker. Individual Workers can override the default global values (if any), by specifying the property as usual.
Global default values are specified as global values in the global configuration with the name prefixed with DEFAULT.. The following properties can currently be specified in the global configuration:
|
Property |
Description |
|---|---|
|
|
The name of the pre-defined PKCS#11 library. |
|
|
How to identify the slot ( |
|
|
Which slot to use. |
|
|
PKCS#11 key generation attributes (inline). |
|
|
Path to a PKCS#11 attributes file. |
|
|
HSM activation PIN. |
For more information on global properties, see Global Configuration Properties.
Example Usage
-
Copy
pkcs11-crypto.propertiesand edit to match your PKCS#11 token. -
Load the configuration:
bin/signserver setproperties pkcs11-crypto-configuragtion.properties
-
Reload the Worker using the ID printed by the previous command (in this example,
8):
bin/signserver reload 8
-
Activate the Crypto Token:
bin/signserver activatecryptotoken 8
If the key alias set in DEFAULTKEY does not yet exist on the HSM, activation appears to fail. Continue to the next step to create the test key.
-
Generate a key pair to use as the test key:
bin/signserver generatekey 8 -alias testkey1 -keyalg RSA -keyspec 2048
-
Set the new key as the
DEFAULTKEYand reload:
bin/signserver setproperty 8 DEFAULTKEY testkey1
bin/signserver reload 8
bin/signserver activatecryptotoken 8
-
Test the key pair:
bin/signserver testkey 8
-
Generate a certificate signing request (CSR):
bin/signserver generatecertreq 8 "CN=PKCS11 Signer token" SHA1WithRSA /tmp/certreq.pem
-
Submit the CSR to a CA (for example, via EJBCA) to obtain a signed certificate.
-
Assemble the certificate chain, with the signer certificate first and root CA last:
cat /tmp/cert.pem /tmp/AdminCA1.pem > /tmp/certchain.pem
-
Upload the certificate chain to the signing Worker
bin/signserver uploadsignercertificatechain 9 GLOB /tmp/certchain.pem bin/signserver reload 9
-
Specify a PKCS#11 attribute to override the statically configured attribute to use when generating a key.
Where x is the object class: PUBLIC or PRIVATE.
Where y is the key type: RSA, ECDSA, and so on.
Where z is the attribute name or ID as decimal number or a hexadecimal number prefixed with "0x".
Known Issues
RSASSA-PSS (SHAxWithRSAandMGF1) compatibility with certain Java versions
The RSASSA-PSS signature algorithm was not supported with SunPKCS11 in older Java releases. Later versions of Java 8 and 11 added support, but for Java versions earlier than 11.0.7 the algorithm only works with key sizes of 4096 bits or larger.