EJBCA

Note

EJBCA requires at least NetHSM v3 and nethsm-pkcs11 v2.

EJBCA is a PKI Certificate Authority software available as open source.

To be able to use NetHSM with EJBCA you need to setup the NetHSM PKCS#11 module first.

Then configure EJBCA to use the NetHSM PKCS#11 module by adding an entry in the /etc/ejbca/conf/web.properties file:

cryptotoken.p11.lib.418.name=NetHSM
cryptotoken.p11.lib.418.file=/usr/lib/nitrokey/libnethsm_pkcs11.so
cryptotoken.p11.lib.418.canGenerateKey=true

Note

The 418 in the name is an index that must be unique for each PKCS#11 module in the configuration file.

After restarting EJBCA you can add a new Crypto Token in the EJBCA Admin GUI https://mycahostname/ejbca/adminweb/cryptotoken/cryptotokens.xhtml. The Crypto Token type is PKCS#11 Crypto Token and the Crypto Token name is NetHSM.

Docker Example

We provide an example setup using docker for testing. If you want to experiment with it you can use git to clone the nethsm-pkcs11 repository and then follow the steps described in the container/ejbca/README.md file.