Create Keystore in HSM with ClientToolBox

To create a keystore in the HSM using clientToolBox, do the following:

  1. A utility called clientToolBox is included with your SignServer Cloud instance.  This utility is usually provided with EJBCA, but has been preloaded onto your SignServer ECE instance for ease.  Create a key called testkey with clientToolBox.  SignServer will use this key for healthcheck and keepalive to the HSM.
    (warning) It is important to run these commands as the wildfly user. This is due to file system access permissions and maintaining the permissions for wildfly to be able to use these keys.
    # su - wildfly
    # /opt/PrimeKey/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 2048 testKey0001
  2. You will be prompted for a password in the format of <HSM_CryptoUser>:<password>
    For example, the following is the PKCS #11 PIN for an HSM crypto user (CU) with user name CryptoUser and password CUPassword123!:

    CryptoUser:CUPassword123!
  3. Create one more keys called signKey with the following command:
    # /opt/PrimeKey/clientToolBox/ejbcaClientToolBox.shh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096 signKey0001