EJBCA supports using the Unbound’s key management product Unbound Key Control (UKC) to provide enhanced key protection to EJBCA acting as a virtual vHSM.


To integrate the UKC client with EJBCA, the following perquisites must be met:

  • UKC client installed and configured on the machine running EJBCA.
  • A partition to hold the EJBCA key material created on the UKC server.
  • EJBCA machine registered as the partition's client.
  • UKC configured as an HSM module on the EJBCA machine according to the steps outlined below.

For documentation for the Unbound Key Control (UKC), refer to the Unbound Technical Document Library.

Integrate UKC in EJBCA

To configure UKC as an EJBCA PKCS#11 modules, do the following:

  1. Locate the UKC PKCS#11 software file libekmpkcs11.so, for example, /usr/lib64/libekmpkcs11.so.
  2. Locate the list of PKCS#11 CryptoToken libraries in the EJBCA configuration file conf/web.properties, for example:

    # Available PKCS#11 CryptoToken libraries and their display names
  3. Uncomment an entry in the list and add the UKC PKCS#11 library and its displayed name:

    cryptotoken.p11.lib.XX.name=Unbound UKC

    For example:

    # Available PKCS#11 CryptoToken libraries and their display names
    cryptotoken.p11.lib.10.name=Unbound Tech.

For more information on EJBCA HSM modules and configuring HSMs, see Hardware Security Modules (HSM).