ENTERPRISE This is a SignServer Enterprise feature.
Crypto token using PKCS#11 for talking with the HSM but using a different provider than the SunPKCS11 provider used by for instance the regular PKCS11CryptoToken.
|DEFAULTKEY||The key alias. Required.|
|PIN||Authentication code for activation. Only required for auto-activation, otherwise manual activation can be performed.|
Name of pre-defined PKCS11 library to be used. The available libraries can be configured in signserver_deploy.properties. Required.
|SLOTLABELTYPE||Indicates how the slot should be identified. Supported values are SLOT_NUMBER, or SLOT_INDEX. Required.|
The slot to use, identified with the type specified in SLOTLABELTYPE:
SLOT_LABEL is currently not supported.
Specify a PKCS#11 attribute to use when generating a key.
Where x is the object class: PUBLIC or PRIVATE.
|USE_CACHE||Specify if key and certificate search results from the HSM should be cached. This can prevent problems due to too many find object requests under high load with some PKCS#11 implementations. Optional: default true.|
Secret Key generation
If generating a secret key through the JackNJI11CryptoToken, the algorithm name can be supplied in the following ways. See also Crypto Token Generate Key Page.
Standard Java Name
Example: AES, DES.
If the specified key algorithm name is not present in the predefined list of known secret key algorithms, the key algorithm name must be specified with the prefix "SEC:", for example: SEC:Blowfish. Currently, the secret key list contains the algorithms AES and DES.
CKM Long value
Example: SEC:4224. Here 4224 represents the long value for the AES_KEY_GEN constant as per the PKCS11 specification. "SEC:" is used as prefix.
CKM Hexadecimal value
Example: SEC:0x00001080. Here 0x00001080 represents a hexadecimal value for the AES_KEY_GEN constant as per the PKCS11 specification. "SEC:" is used as prefix.
- Multiple different CA certificates with the same subject DN cannot be stored in the token (see DSS-1544).
- Changes made in an HSM slot from a different process (i.e. outside the application server) might not be visible within SignServer without a restart of the application server. To use new key-pairs directly, it is recommended to generate the keys from within SignServer.