SoftHSM2 works very well with EJBCA, and after initializing a slot you can use it by creating a new Crypto Token in the Admin GUI.

The user PIN is what you will use to activate the token in EJBCA.

Debian

sudo apt-get install softhsm2
BASH

To be able to create tokens as a normal user, make /var/lib/softhsm/tokens readable and writable by adding yourself to the ods group. Make sure that the user running the application server belongs to this group as well.
Note: The group might be called softhsm instead of ods. You can check with ls -ld /etc/softhsm . If so, please adjust the commands.

sudo usermod -aG ods "$USER"
sudo usermod -aG ods wildfly
BASH

After setting privileges, you can use softhsm as normal user.

softhsm2-util --init-token --free --label slot1
BASH

Now you can initialize additional slots. Note that if you provide the --slot parameter to SoftHSM2 it will most likely not become the slot number you specify.

To list the slots, use the following command:

softhsm2-util --show-slots
CODE

To list all keys (usable by EJBCA) on a slot you can use a clientToolBox command:

./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/softhsm/libsofthsm2.so TOKEN_LABEL:slot1
CODE

To list all PKCS#11 objects on a slot you can use a command like pkcs11-tool:

pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --token-label slot1 --pin foo123 -O
CODE