SoftHSM2 works very well with EJBCA, and after initializing a slot you can use it by creating a new Crypto Token in the Admin GUI.

The user PIN is what you will use to activate the token in EJBCA.

sudo apt-get install softhsm2

To use it as a normal user, make /var/lib/softhsm/tokens available to your normal user (for writing in order to create keys), and /etc/softhsm/* readable by the user.

After setting privileges, you can use softhsm as normal user.

softhsm2-util --init-token --free --label myslot

The Ubuntu package for SoftHSM2 is not always initializing properly (depending on the Ubuntu version you are running) so you may have to create missing directories etc. If you get an ERROR: Could not initialize the library when running the above there is a directory missing, and a token not initialized.

sudo mkdir /var/lib/softhsm/tokens
sudo chmod a+rwx /var/lib/softhsm
sudo chmod a+rwx /var/lib/softhsm/tokens
sudo chmod a+rx /etc/softhsm
sudo chmod a+r /etc/softhsm/*
softhsm2-util --init-token --free --label myslot

The above commands give write privileges to all users in the system and you may wish to tune that to your security policy.

Now you can initialize additional slots. Note that if you provide the --slot parameter to SoftHSM2 it will most likely not become the slot number you specify.

To list the slots, use the following command:

softhsm2-util --show-slots