SoftHSM2 works very well with EJBCA, and after initializing a slot you can use it by creating a new Crypto Token in the Admin GUI.
The user PIN is what you will use to activate the token in EJBCA.
sudo apt-get install softhsm2
To be able to create tokens as a normal user, make /var/lib/softhsm/tokens readable and writable by adding yourself to the
ods group. Make sure that the user running the application server belongs to this group as well.
sudo usermod -aG ods "$USER" sudo usermod -aG ods wildfly
After setting privileges, you can use softhsm as normal user.
softhsm2-util --init-token --free --label myslot
Now you can initialize additional slots. Note that if you provide the --slot parameter to SoftHSM2 it will most likely not become the slot number you specify.
To list the slots, use the following command:
To list all keys (usable by EJBCA) on a slot you can use a clientToolBox command:
./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/local/lib/softhsm/libsofthsm2.so TOKEN_LABEL:slot1
To list all PKCS#11 objects on a slot you can use a command like pkcs11-tool:
pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so --token-label slot1 --pin foo123 -O