- EJBCA Introduction
- EJBCA Installation
-
EJBCA Operations
-
EJBCA CA Concept Guide
- Certificate Authority Overview
- Crypto Tokens Overview
- End Entities Overview
- Publishers Overview
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
- Services
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Protocols
- Logging
- Character Limitations
- User Data Sources
- EJBCA RA Concept Guide
-
EJBCA Operations Guide
-
CA Operations Guide
- Approving Actions
- CA UI Overview
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Roles and Access Rules Operations
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Export and Audit Tool
-
CA Operations Guide
-
EJBCA CA Concept Guide
-
EJBCA Integration
-
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
- Native Certificate Autoenrollment for Windows
- Microsoft Intune Device Certificate Enrollment
- Script based Autoenrollment for Windows clients with EJBCA
- Integrating EJBCA with GreyLog
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
- Issuing Certificates to Kubernetes Services using cert-manager
- Hardware Security Modules (HSM)
-
Integrating with Third-Party Applications
- Troubleshooting Guide
-
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
-
EJBCA Release Information
-
EJBCA Release Notes
- EJBCA 7.2.1.1 Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
-
EJBCA Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
-
EJBCA Release Notes
Nitrokey HSM
The Nitrokey HSM is very similar to the SmartCard-HSM. You use opensc-pkcs11 to manage the Nitrokey HSM from EJBCA. The installation is rather straight forward following the Nitrokey HSM installation [External Link] instructions. In the following example, we use opensc installed from the Nitrokey repository [External Link].
After the installation you will be able to view the Nitrokey HSM:
user@linux:$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (DENK01018660000 ) 00 00
Version : 3.1
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left : 15
User PIN tries left : 3
user@linux:$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01018660000 ) 00 00
PKCS#15 Card [SmartCard-HSM]:
Version : 0
Serial number : DENK0101866
Manufacturer ID: www.CardContact.de
Flags :
PIN [UserPIN]
Object Flags : [0x3], private, modifiable
Auth ID : 02
ID : 01
<snip>You can generate and test keys with clientToolBox. For example:
ant clientToolBox
cd dist/clientToolBox
./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 2048 rsaKey2048 0
<snip>
./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so secp256r1 ecKeysecp256r1 0
<snip>
./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 1024 testKey 0
Using Slot Reference Type: Slot Number.
PKCS11 Token [SunPKCS11-opensc-pkcs11.so-slot0] Password:
2019-04-09 15:04:36,374 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] Signature algorithm 'SHA1WithRSA' working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 10'.
Created certificate with entry testKey.
./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 0
Testing of key: testKey
Private part:
SunPKCS11-opensc-pkcs11.so-slot0 RSA private key, 1024 bits (id 140137944076096, token object, sensitive, unextractable)
RSA key:
modulus: afc6f4149dc68d368a299cbf15370e36446bebc29770e35a98df974cf6ee033a180297cb6a4491b51e42135f2d5c5498e3ac5997c3c1c9af8d5a9881795c3715cbc330784964777321fcd3eb5c44dc6bdaa465a2f0d86fd6a509706ca5774a78b0b65b7f844231accfc73334664ad7255600dc0e9831578887fa3dab7051e3ed
public exponent: 10001
Security related private key attributes: No CESeCoreUtils in classpath.
encryption provider: SunJCE version 10; decryption provider: SunPKCS11-opensc-pkcs11.so-slot0 version 10; modulus length: 1024; byte length 117. The decoded byte string is equal to the original!
Signature test of key testKey: signature length 128; first byte 1f; verifying true
Signings per second: 5
Decryptions per second: 4Using EJBCA, web.properties is pre-configured with the opensc-pkcs11 library named OpenSC as the PKCS#11 crypto token library.