11 - Create a CryptoToken in EJBCA

NOTE If you have already performed these steps before creating the keys with the clientToolBox, restart EJBCA using the command service wildfly restart.

If you are creating the crypto token for the first time, proceed with the following steps:

  1. Login to EJBCA as Superadmin.
  2. Select Crypto Tokens and click Create new:
  3. Specify the values as follows:

    • Name: <anything> (For example CloudHSM Root Slot)

    • Type: PKCS#11

    • Authentication Code: <HSM_CryptoUser>:<password> (ex. CryptoUser:CUPassword123!)

    • AutoActivation: Clear (Do not set this as setting it will prevent the CryptoToken from activating at all).

    • Use Explicit ECC parameters: Clear

    • PKCS#11: Library: AWS CloudHSM

    • PKCS#11: Reference Type: Slot ID

    • PKCS#11: Reference: 1

    • PKCS#11: Attribute Type: Default

  4. Click Save.

  5. All keys in the slot created by ClientToolBox display in the Crypto Token:

Auto Activating a CloudHSM CryptoToken

NOTE To auto activate a crypto token at boot time, we recommend hashing the password with the ejbca.sh command line:

[/opt/ejbca/bin]# ./ejbca.sh encryptpwd
Please note that this encryption does not provide absolute security. If 'password.encryption.key' property haven't been customized it doesn't provide more security than just preventing accidental viewing. Enter word to encrypt: 
 Encrypting pwd (with default key) 939fb2c5ec0094dcb227587378a9d55cb4236ba0c212a83641d9b20312307a76

Once obtaining this hash, use the following command and run a script at startup:

[/opt/ejbca/bin]# ./ejbca.sh cryptotoken activate --token "CloudHSM" 939fb2c5ec0094dcb227587378a9d55cb4236ba0c212a83641d9b20312307a76
 CryptoToken activated successfully using supplied PIN.