ENTERPRISE  This is an EJBCA Enterprise feature.

Fortanix Data Security Manager HSM is a cloud-based HSM service provided by Fortanix. Keys are stored in the FIPS 140-2 Level 3 certified HSM and cryptographic operations are securely executed within the module.

As of EJBCA 8.0, EJBCA can access the HSM service using Fortanix's REST API or using the legacy PKCS#11 API. Using Fortanix's REST API is the recommended and most performant method of using the HSM service.

REST Integration

EJBCA supports authenticating to Fortanix Data Security Manager (DSM) via an API Key.

To create an API key in the Fortanix DSM application:

  1. In the Fortanix DSM, select your account, and then click Apps in the left menu.
  2. Click + to add a new application.
  3. Specify a name for your application and select API Key as your authentication method.
  4. After creating your application, click View API Key Details and copy the API Key value to the clipboard. This is the value that needs to be entered into EJBCA as an authentication code when creating a Fortanix Crypto Token.

Next, go to EJBCA to complete the integration:

  1. In the EJBCA menu, under CA Functions, click Crypto Tokens.

  2. Click Create new and specify the following on the New Crypto Token page:
    • Name: Specify a name for the Fortanix Crypto Token.
    • Type: Select Fortanix DSM.
    • Authentication Code: Paste the API key value copied previously and then again in the Repeat Authentication Code field. This code will be used as a password to activate the crypto token.

  3. Click Save to create the Fortanix Crypto Token.

Your Fortanix DSM Crypto Token is now available for use in EJBCA.

PKCS#11 Integration

Note that installation of the Fortanix PKCS#11 driver is required for this integration.

For step-by-step instructions on how to integrate EJBCA with Fortanix Data Security Manager (DSM), refer to the Fortanix EJBCA integration guide.