The following describes how to verify the key pair for use with EJBCA.

These instructions are only needed with EJBCA versions lower than 7.5. With EJBCA 7.5, all keys can be created from inside the Crypto Token interface of the EJBCA Admin Interface.

With EJBCA 7.5, ensure p11ng.cryptotoken.enabled=true is set in the EJBCA configuration file (this is done for you in EJBCA Cloud already)

Use the EJBCA clientToolBox to validate that the key was created and is available on the CloudHSM according to the following example:

  1. Use EJBCA clientToolBox to validate key creation:

    For EJBCA Cloud 2.6 and EJBCA 7.5.0 and above, use the following:

    # /opt/ejbca/dist/p11ng-cli/ listobjects --lib-file /opt/cloudhsm/lib/ --slot-ref SLOT_LABEL --slot cavium

    For EJBCA Cloud 2.5.X and EJBCA and below use the following:

    #  /opt/ejbca/dist/clientToolBox/ PKCS11HSMKeyTool test /opt/PrimeKey/cloudhsm/lib/ 1
    When prompted for a password you must use the CloudHSM password format of username:password, for example: CryptoUser:CUPassword12
  2. Ensure the p11ng-cli or the clientToolBox outputs the results of the keys found on the CloudHSM with the key details.