10 - Verify the Keypair for use with EJBCA

The following describes how to verify the key pair for use with EJBCA.

These instructions are only needed with EJBCA versions lower than 7.5. With EJBCA 7.5, all keys can be created from inside the Crypto Token interface of the EJBCA Admin Interface.

With EJBCA 7.5, ensure p11ng.cryptotoken.enabled=true is set in the EJBCA configuration file web.properties (this is done for you in EJBCA Cloud already)

Use the EJBCA clientToolBox to validate that the key was created and is available on the CloudHSM according to the following example:

1. Use EJBCA clientToolBox to validate key creation:

   For EJBCA Cloud 2.6 and EJBCA 7.5.0 and above, use the following:

   # /opt/ejbca/dist/p11ng-cli/p11ng-cli.sh listobjects --lib-file /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --slot-ref SLOT_LABEL --slot cavium

   CODE

   For EJBCA Cloud 2.5.X and EJBCA 7.4.3.3 and below use the following:

   #  /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool test /opt/PrimeKey/cloudhsm/lib/libliquidsec_pkcs11.so 1

   CODE
   

   When prompted for a password you must use the CloudHSM password format of username:password, for example: CryptoUser:CUPassword12
2. Ensure the p11ng-cli or the clientToolBox outputs the results of the keys found on the CloudHSM with the key details.