Step 0: Comparing Security Keys

With these actions, you will check whether the key you have received via e-mail corresponds to the HSM authentication key stored on the machine. This is to make sure that the machine has not been manipulated.

These actions are only required for a brand-new EJBCA Hardware Appliance eIDAS edition that is set up for the very first time. In all other cases – as for example re-installing a Hardware Appliance – you can proceed with Step 1: External Erase and Factory Reset.

Proceed as follows to compare the security keys:

  1. Turn on the Hardware Appliance and wait until it is booted up.
  2. When boot-up is complete, the TLS Fingerprint is displayed in the front display. Write it down, you will need it for a later step:

    TLS fingerprint
  3. Change the default IP address to match your network requirements. For more information refer to Step 3: Changing the IP Address of the EJBCA Hardware Appliance.
  4. Open your browser and type in the newly assigned IP address to connect to the configurator WebConf of the EJBCA Hardware Appliance eIDAS edition. You will be asked to compare the TLS fingerprints:

    Verify TLS Certificate


  5. To compare the fingerprint of the TLS certificate and the fingerprint on the display of the EJBCA Hardware Appliance eIDAS edition proceed as follows.
    1. Click the Padlock icon in the address bar of your browser.

    2. Click > to expand the information for Connection is Not Secure. This opens information on the security of your connection.

    3. Click More Information and then View Certificate to open the Certificate Viewer.

    4. In the Certificate Viewer, find the SHA256 Fingerprint and compare it to what was shown on the appliance's display.

      If the two fingerprints match, the appliance is connected to the correct machine.
    5. Close the Certificate Viewer panel.


      Certificate viewer
  6. Click The fingerprints are the same in the Hardware Appliance Configuration page. You will be asked to compare the HSM Auth Key with the key you received via e-mail:

    Verify HSM Auth Key
  7. Click Download HSM Auth Key.
  8. Open the file, compare the keys and make sure they match.
  9. If the keys match you can safely use your device. To continue proceed to Step 1: External Erase and Factory Reset.

Do not continue to use the machine if there is a mismatch between the HSM Auth Key and the key you have received via e-mail. In such a case contact the PrimeKey support team.