Skip to main content
Skip table of contents

Security: Configuring a TrustWay Proteccio netHSM


You can configure a Hardware Security Module (HSM) to store and protect your cryptographic keys. Optionally, you can use the software-based SoftHSM implementation for demonstration or testing purposes.

The following describes how to configure a TrustWay Proteccio netHSM for the Software Appliance by registering the Software Appliance and connecting it to the HSM.

Configuring an HSM for the Software Appliance is irrevocable. To change an HSM configuration, you must reset the Software Appliance.

To configure a TrustWay Proteccio netHSM for your Software Appliance, follow the steps below.

If you run into issues after the configuration, you can get HSM specific log messages from a HSM Support Package. For further information please refer to Create an HSM Log.

Connect the Software Appliance with the TrustWay Proteccio netHSM

  1. Log in to your Software Appliance and open the Security page or click Configure HSM in the Overview.

  2. In the HSM Configuration section, select TrustWay Proteccio netHSM to access the Configuration fields.

    Screenshot 2025-07-31 at 13.39.48.png


     

  3. HSM Client Version
    Click on the HSM Client you want to use.

    Screenshot 2025-07-31 at 13.39.19.png
  4. Click Add HSM Device to open the corresponding form for the certificate.

    • HSM IP Address:
      Enter the IP address of the TrustWay Proteccio netHSM.
      Only IPv4 addresses are supported.

    • Upload the TrustWay Proteccio netHSM Server Certificate for connection, by dragging and dropping or by selecting the file.

      An additional field is available for the HSM configuration of version 4.05.04.
      The Secure Channel Public Key can be uploaded here.
      This is optional and only necessary if the secure channel is activated on the HSM.

  5. Confirm with Add HSM Device.

    A warning appears to inform you that after saving HSM configuration you can no longer switch to a different HSM.

    To change the HSM configuration, you need to reset EJBCA Software Appliance. Proceed by clicking Activate.

  6. Proceed with Activate.

    The information on the HSM is displayed.

    Screenshot 2025-07-31 at 13.45.16.png
  7. HSM Client Authentication Configuration
    This step is only necessary if Client Authentication Configuration is enabled on the HSM.
    Click Download Client Certificate (HSM client authentication configuration) and upload it to your TrustWay Proteccio netHSM.

    Screenshot 2025-07-31 at 13.48.29.png
  8. Secure Channel Client Configuration for Trustway Proteccio 4.05.04
    This step is only necessary if the secure channel is enabled on the HSM side or is to be used in the future.

    If a Trustway Proteccio 4.05.04 HSM client version has been selected, there is an additional function.
    In this section, click Download Secure Channel Client Key to download. Then upload Secure Channel Client Key to your TrustWay Proteccio netHSM.
    The driver page will show connected even if the secure channel has not yet been successfully established (e.g. if the client key has not yet been uploaded to the HSM whitelist).

    Screenshot 2025-07-31 at 13.53.38.png
  9. Miscellaneous Configurations
    All HSMs in the same group must have the same

    • hardware,

    • firmware,

    • key material,

    • and software configuration.

    In addition, the same cryptographic configuration must be used.
    The HSMs must be installed with the same install secret and user password.
    Check mark the applicable option.

    Screenshot 2025-07-31 at 13.57.03.png
  10. Finalize with Save HSM Configuration.
    On the Security page of the application, the status of the HSM Driver will change from Not Connected to Connected as soon as the configuration is completed.
    On the Overview page of the application, the status in the HSM Overview also changes to Connected as soon as the configuration is completed. During configuration, the appliance is in the Restarting status. During this time, it is not available

Once EJBCA is running again, you can proceed with adding a crypto token.

Add a Crypto Token in EJBCA Enterprise

To create a crypto token:

  1. On the Overview page of the Software Appliance, click Admin Web for EJBCA in the Application Overview column.

  2. The EJBCA Enterprise page opens.
    Check whether the Create new CA checkbox is selected.

  3. Open the CA Functions drop-down menu in the top menu.

  4. In the CA Functions section, select Crypto Tokens.

  5. On the Manage Crypto Tokens page, click Create New...

The individual configuration of the Crypto Token depends on the configuration of the HSM! For detailed Information please see managing crypto tokens.

HSM Troubleshooting

In the section HSM Driver Controls the current HSM Driver Status is displayed.
In case of HSM problems, the HSM driver can be restarted via the Restart button.

For information about error codes, please refer to the TrustWay Proteccio netHSM Developer Guide.




JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.