9 - Create a Keystore in the HSM
The following describes how to create a keystore in the HSM.
These instructions are only needed with EJBCA versions lower than 7.5. With EJBCA 7.5, all keys can be created from inside the Crypto Token interface of the EJBCA Admin Interface.
With EJBCA 7.5, ensure p11ng.cryptotoken.enabled=true
is set in the EJBCA configuration file web.properties (this is done for you in EJBCA Cloud already).
To create a keystore in the HSM using clientToolBox, do the following:
Create a testkey with clientToolBox. EJBCA will use this key for healthcheck and keepalive to the HSM.
It is important to run these commands as the wildfly user. This is due to file system access permissions and maintaining the permissions for WildFly to be able to use these keys.For EJBCA Cloud 2.6 and EJBCA 7.5.0 and above, use the following:
# /opt/ejbca/dist/p11ng-cli/p11ng-cli.sh generatekeypair --lib-file /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --slot-ref SLOT_LABEL --slot cavium --alias testKey0001 --key-spec RSA2048 --key-usage SIGN_ENCRYPT
BASHFor EJBCA Cloud 2.5.X and EJBCA 7.4.3.3 and below, use the following:
# su - wildfly # /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 2048 testKey0001
CODEYou will be prompted for a password in the format of
<HSM_CryptoUser>:<password>
For example, the following is the PKCS #11 PIN for an HSM crypto user (CU) with user name CryptoUser and password CUPassword123!:CryptoUser:CUPassword123!
CODECreate a total of three keys for EJBCA:
- testKey (created in step 1)
- signKey
- defaultKey
Create two more keys called signKey and defaultKey.
For EJBCA Cloud 2.6 and EJBCA 7.5.0 and above, use the following:# /opt/ejbca/dist/p11ng-cli/p11ng-cli.sh generatekeypair --lib-file /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --slot-ref SLOT_LABEL --slot cavium --alias signKey0001 --key-spec RSA2048 --key-usage SIGN_ENCRYPT # /opt/ejbca/dist/p11ng-cli/p11ng-cli.sh generatekeypair --lib-file /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --slot-ref SLOT_LABEL --slot cavium --alias defaultKey0001 --key-spec RSA2048 --key-usage SIGN_ENCRYPT
BASHFor EJBCA Cloud 2.5.X and EJBCA 7.4.3.3 and below, use the following:
# /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096 signKey0001 # /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096 defaultKey0001
CODEIf ECC keys are desired, you can use a named curve. For example, to generate a prime256v1 curve, use the following command:
# /opt/ejbca/dist/p11ng-cli/p11ng-cli.sh generatekeypair --lib-file /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --slot-ref SLOT_LABEL --slot cavium --alias testKey0001 --key-spec P-256 --key-usage SIGN_ENCRYPT
CODEor
# /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf prime256v1 testKeyecdsa0001
CODE
For more information, refer to the EJBCA documentation on ECDSA Keys and Signatures.