Skip to main content
Skip table of contents

Security: Configuring an Utimaco HSM

A Hardware Security Module (HSM) can be configured to store and protect cryptographic keys in a centralized, high-assurance appliance, providing a root of trust for sensitive cryptographic data transactions.
Optionally, you can use the software-based SoftHSM implementation for demonstration or testing purposes.

The following describes how to configure an Utimaco HSM for the Software Appliance by registering the Software Appliance and connecting it to the HSM.

For more information, refer to the Utimaco HSM product CD that you received with your purchase of the HSM.

If you are using the Firmware Version:
SecurityServer-Se2-Series-4.32.0.3-FIPS from Utimaco, you should select this driver: SecurityServer 4.32.0.6 FIPS.

Choose between one of the following Utimacto software packages:

  • SecurityServer 4.32.0.6 FIPS

  • SecurityServer 4.45.5.1

  • SecurityServer 4.51.0.1

  • Utimaco u.trust Anchor Product Bundle 4.70.0.0

To configure an Utimaco HSM for your Software Appliance, follow the steps below.

If you run into issues after the configuration, you can get HSM specific log messages from a HSM Support Package. For further information please refer to Create an HSM Log.

Connect the Software Appliance with the Utimaco HSM

  1. Log in to your Software Appliance and open the Security page or click Configure HSM in the Overview.

  2. In the HSM Configuration section, click + Add External HSM in the HSM Selection field.

    Screenshot 2025-11-05 at 12.27.21-20251105-112726.png

  3. The Add an external HSM window opens.
    Select Utimaco HSM to access the Configuration fields.

  4. Click Select HSM Type to continue. 

    Screenshot 2025-11-06 at 13.59.33.png

  5. The HSM Client Version section is displayed on the Security page.

  6. Click on the HSM client version to be used.

  7. Connection Settings

    • HSM IP Address / FQDN:
      Enter the IP address or the Fully Qualified Domain Name (FQDN) of the HSM. Only IPv4 addresses are supported.

    • HSM Port:
      Enter the Port of the Utimaco HSM.

    • Connection Timeout:
      Enter the timeout in milliseconds to wait for a non-responding device.

  8. PKCS#11 Related Settings

    • Command Timeout:
      Enter the time in milliseconds to wait for the answer from the HSM after sending a command.
      Increase the default value if you know that your device is slow.

    • Slot Count:
      Enter the amount of slots configured on your Utimaco HSM.

      Screenshot 2025-11-06 at 14.15.57-20251106-131603.png

  9. Usage Information

The last line in Usage Information displays the options:

Remove HSM Configuration
To remove the HSM configuration you need to type REMOVE HSM CONFIGURATION into the Confirm Action field.
Click Cancel/Remove.
If remove is chosen the application will restart.

If changes have been made to the sections:
HSM Client Authentication Configuration
Secure Channel Client Configuration
Miscellaneous Configurations

these can be made with undone with Cancel or saved with Save HSM Configuration.

Abort
Click Abort to terminate the process of configuring a HSM.

Save HSM Configuration
Click Save HSM Configuration to save changes made on the HSM configuration.

  1. Confirm with Save HSM Configuration.

  2. A modal dialog requests to confirm your configuration.
    Save HSM configuration

  3. Proceed with Activate.


The HSM device is now configured and HSM Status information will be displayed.

On the Security page of the appliance, the status of the HSM Driver will change from Not Connected to Connected as soon as the configuration is completed.

On the Overview page of the appliance, the status in the HSM Overview also changes to Connected as soon as the configuration is completed. 

During reconfiguration, the application is not available and displays Restarting.

Once EJBCA is running again, you can proceed with adding a crypto token.

Add a Crypto Token in EJBCA Enterprise

To create a crypto token:

  1. On the Overview page of the Software Appliance, click Admin Web for EJBCA in the Application Overview column.

  2. The EJBCA Enterprise page opens.
    Check whether the Create new CA checkbox is selected.

  3. Open the CA Functions drop-down menu in the top menu.

  4. In the CA Functions section, select Crypto Tokens.

  5. On the Manage Crypto Tokens page, click Create New...

The individual configuration of the Crypto Token depends on the configuration of the HSM! For detailed Information please see managing crypto tokens.


If you are using the PKCS#11 Reference Type Slot ID, please make sure that the value you enter at the PKCS#11 Reference is smaller as the value you have previously entered for the Slot Count.
For the default Slot Count entry of 10, for example, the slot numbers 0-9 are possible.

HSM Troubleshooting

In the section HSM Driver Controls the current HSM Driver Status is displayed.
In case of HSM problems, the HSM driver can be restarted via the Restart button.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close