EJBCA¶
Poznámka
EJBCA vyžaduje aspoň NetHSM v3 a nethsm-pkcs11 v2.
EJBCA is a PKI Certificate Authority software available in both Community (CE) and Enterprise Edition (EE).
EJBCA Community¶
EJBCA Community Edition is an open source PKI Certificate Authority software.
To be able to use NetHSM with EJBCA CE you need to setup the NetHSM PKCS#11 module first.
Potom nakonfigurujte EJBCA na používanie modulu NetHSM PKCS#11 pridaním položky do súboru /etc/ejbca/conf/web.properties:
cryptotoken.p11.lib.418.name=NetHSM
cryptotoken.p11.lib.418.file=/usr/lib/nitrokey/libnethsm_pkcs11.so
cryptotoken.p11.lib.418.canGenerateKey=true
Poznámka
418 v názve je index, ktorý musí byť jedinečný pre každý modul PKCS#11 v konfiguračnom súbore.
Po reštarte EJBCA môžete pridať nový Crypto Token v grafickom rozhraní administrátora EJBCA https://mycahostname/ejbca/adminweb/cryptotoken/cryptotokens.xhtml. Typ Crypto Tokenu je PKCS#11 Crypto Token a názov Crypto Tokenu je NetHSM.
Docker Example¶
We provide an example setup using docker for testing. If you want to experiment with it you can use git to clone the nethsm-pkcs11 repository and then follow the steps described in the file container/ejbca/README.md.
EJBCA Enterprise¶
EJBCA Enterprise Edition provides advanced features and enterprise support.
Configuration for EJBCA EE differs from the Community Edition. Instead of configuring the PKCS#11 module directly in EJBCA, the Enterprise Edition uses a sidecar container approach. This sidecar container provides the p11ng (PKCS#11 Next Generation) connection to NetHSM, enabling seamless integration without modifying the main EJBCA container.
For detailed information on configuring Hardware Security Modules (HSM) with EJBCA EE, refer to the official EJBCA HSM documentation.
Docker Setup¶
We provide a complete containerized setup for EJBCA EE integration with NetHSM. The setup includes:
EJBCA EE container
NetHSM PKCS#11 sidecar container (p11ng)
NetHSM container for testing
You can find the container image and configuration in the container/ejbca-ee/ directory of the nethsm-pkcs11 repository.
The directory includes a complete docker-compose.yml file that brings up all necessary components,
including a NetHSM instance for testing purposes. This provides a ready-to-use environment for
experimenting with EJBCA EE and NetHSM integration.
Poznámka
Dockerfile and docker-compose.yml contain references to the official repositories, make
sure to run docker login before making use of them.
Currently a limitation is that there is no way to select the Padding Scheme for a particular Crypto Token. Therefore RSA will always use PKCS#1 padding (and not PSS).