ENTERPRISE This is an EJBCA Enterprise feature.
Google Cloud Platform Key Management Service (GCP Cloud KMS) is a key management service provided by Google as a part of the Google Cloud Platform. A KMS can be used both by machines running in GCP, and remotely. For more information, refer to the Google Cloud documentation on Cloud Key Management Service.
GCP KMS has a PKCS#11 library that enables usage from applications that use PKCS#11. As EJBCA has robust PKCS#11 support for many HSM, it is also tested with the GCP Cloud KMS using the PKCS#11 NG Crypto Token type (from EJBCA 7.10.0).
There are a few limitations when using the GCP Cloud KMS PKCS#11 library with PKCS#11 NG.
- The GCP Cloud KMS PKCS#11 Library requires GCP custom attributes when generating keys. These custom attributes are not available in EJBCA and keys cannot be generated from within EJBCA, but must be generated using the GCP Console.
- When creating a CA in EJBCA and selecting CA Signature Algorithm, all choices are visible in the Admin UI, but only the algorithm matching the algorithms used when generating the key can be used. If you select a non-matching algorithm in the Admin UI an error will occur.
- For more information, refer to GCP KMS docs on Asymmetric signing algorithms.
- For example, when generating RSA keys (for example, RSA 2048) using the KMS algorithm
rsa-sign-raw-pkcs1-2048, signature algorithms SHA256WithRSA, SHA384WithRSA, and SHA512WithRSA will work (but not RSASSA-PSS/SHA256WithRSAAndMGF1).
For more information on the EJBCA Cloud product, see EJBCA Enterprise Cloud on the PrimeKey website or the EJBCA Cloud Documentation. If you are interested in GCP Cloud KMS support, contact the EJBCA Cloud team.