SoftHSM2 works very well with EJBCA, and after initializing a slot you can use it by creating a new Crypto Token in the Admin GUI.
The user PIN is what you will use to activate the token in EJBCA.
Debian
sudo apt-get install softhsm2
BASH
To be able to create tokens as a normal user, make /var/lib/softhsm/tokens readable and writable by adding yourself to the ods
group. Make sure that the user running the application server belongs to this group as well.
Note: The group might be called softhsm
instead of ods
. You can check with ls -ld /etc/softhsm
. If so, please adjust the commands.
sudo usermod -aG ods "$USER"
sudo usermod -aG ods wildfly
BASH
After setting privileges, you can use softhsm as normal user.
softhsm2-util --init-token --free --label slot1
BASH
Now you can initialize additional slots. Note that if you provide the --slot parameter to SoftHSM2 it will most likely not become the slot number you specify.
To list the slots, use the following command:
softhsm2-util --show-slots
CODE
To list all keys (usable by EJBCA) on a slot you can use a clientToolBox command:
./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/softhsm/libsofthsm2.so TOKEN_LABEL:slot1
CODE
To list all PKCS#11 objects on a slot you can use a command like pkcs11-tool:
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --token-label slot1 --pin foo123 -O
CODE