Within EJBCA, Crypto Tokens store the keys that our CA uses to perform its duties.

The following describes how to create two Crypto Tokens, one for the Root CA and one for the Issuing CA.

Create Crypto Token for Root CA

To create Crypto Tokens for the Root CA:

  1. Select Crypto Tokens under CA Functions, and then click Create new.
  2. Enter the following on the New Crypto Token page:
    1. Name: Name for the Root CA Crypto Token, for example, "Corporate Root CA Crypto Token". Note that this is not the CA name but the name of the token.
    2. Authentication Code: Enter a password to be used to activate the slot whenever the Root CA needs to be brought online.
    3. Auto-activation: Clear Use since we only need the root to sign the Issuing CA or renew its certificate.
    4. Allow export of private keys: This is an option since we are using soft keystores. To allow exporting of keys, select Allow. If cleared, EJBCA will try to prevent export.
  3. Click Save.
  4. Create three key pairs within the Crypto Token on the Crypto Token: <Name> page:
    1. defaultKey (RSA 2048 bit): Used for everything not signing or test.
    2. signKey (RSA 2048 bit): Used for cert signing.
    3. testKey (RSA 1024 bit): Used for testing health check for CA.

Create Crypto Token for Issuing CA

To create Crypto Tokens for the Issuing CA:

  1. Click Back to Crypto Token overview and perform the same Crypto Token steps to create or the Issuing CA Crypto Token.
    Note that the Issuing CA Crypto Token will be set to auto-activation in the next step.
  2. Enter the following on the New Crypto Token page:
    1. Name: Name for the Issuing CA Crypto Token, for example, "Corporate Issuing CA Crypto Token".
    2. Authentication Code: Enter a password to be used to activate the slot whenever the Issuing CA needs to be brought online.
    3. Auto-activation: Select Use to allow the token to start each time the system starts, and be active in order to be used by the issuing CA to issue certificates.
    4. Allow export of private keys: This is an option since we are using soft keystores. To allow exporting of keys, select Allow. If cleared, EJBCA will try to prevent export.
  3. Create the same three key pairs for the Issuing CA Crypto Token as for the Root CA Crypto Token:
    1. defaultKey (RSA 2048 bit): Used for everything not signing or test.
    2. signKey (RSA 2048 bit): Used for cert signing.
    3. testKey (RSA 1024 bit): Used for testing health check for CA.