SoftHSM2 works very well with EJBCA, and after initializing a slot you can use it by creating a new Crypto Token in the Admin GUI.

The user PIN is what you will use to activate the token in EJBCA.


sudo apt-get install softhsm2

To be able to create tokens as a normal user, make /var/lib/softhsm/tokens readable and writable by adding yourself to the ods group. Make sure that the user running the application server belongs to this group as well.

sudo usermod -aG ods "$USER"
sudo usermod -aG ods wildfly

After setting privileges, you can use softhsm as normal user.

softhsm2-util --init-token --free --label myslot

Now you can initialize additional slots. Note that if you provide the --slot parameter to SoftHSM2 it will most likely not become the slot number you specify.

To list the slots, use the following command:

softhsm2-util --show-slots

To list all keys (usable by EJBCA) on a slot you can use a clientToolBox command:

./ PKCS11HSMKeyTool test /usr/local/lib/softhsm/ TOKEN_LABEL:slot1

To list all PKCS#11 objects on a slot you can use a command like pkcs11-tool:

pkcs11-tool --module /usr/local/lib/softhsm/ --token-label slot1 --pin foo123 -O