Create Root CA Keys

The following describes how to create three keys for the Root CA to use using clientToolBox.

To create a keystore in the HSM using clientToolBox, do the following:
  1. Create a testkey with clientToolBox. EJBCA will use this key for healthcheck and keepalive to the HSM.
    (warning) It is important to run these commands as the wildfly user.  This is due to file system access permissions and maintaining the permissions for wildfly to be able to use these keys.
    # su - wildfly
    # /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 2048 testKey0001
  2. You will be prompted for a password in the format of <HSM_CryptoUser>:<password>
    For example, the following is the PKCS #11 PIN for an HSM crypto user (CU) with user name CryptoUser and password CUPassword123!:

    CryptoUser:CUPassword123!
  3. Create a total of three keys for EJBCA:

    • testKey (created in step 1)
    • signKey
    • defaultKey
  4. Create two more keys called signKey and defaultKey with the following commands:
    # /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096 signKey0001
    # /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096 defaultKey0001


If ECC keys are desired, you can use a named curve. For example, to generate a prime256v1 curve, use the following command:

# /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf prime256v1 testKeyecdsa0001

For more information, refer to the EJBCA documentation on ECDSA Keys and Signatures.