EJBCA Installation and Configuration Guide
EJBCA and YubiHSM 2 work well together once suitable asymmetric keys have been generated on the YubiHSM 2. Even though the EJBCA Adminweb does provide functionality to generate keys on an HSM, this functionality cannot be used with YubiHSM 2. Instead, keys need to be generated using the YubiHSM 2 Setup Tool. Once the keys are generated, they can be used, tested and removed using the functionality provided by EJBCA.
When generating new keys on the YubiHSM 2 for use by an existing installation of EJBCA, the relevant crypto token must be reactivated before the new keys are accessible by EJBCA.
Note
A key alias on EJBCA is equivalent to a key label on the YubiHSM 2.
Prerequisites
Download the installation package suitable for the operation system from the Yubico Developers website. The following packages should be installed:
Configuring a New EJBCA Installation
While following the installation instructions provided by EJBCA, the instructions bellow need to be executed before deploying EJBCA for the first time:
Step 1: | Decide how many keys to generate and what aliases they should have. See the documentation in |
---|---|
Step 2: | Use the YubiHSM 2 Setup Tool to generate the keys on the YubiHSM 2, one at a time. |
Step 3: | Set the environment variable |
Step 4: | When configuring EJBCA, make sure to configure the following properties files:
|
Note
The number 255
is just an example. It can be any “available” number. See documentation in EJBCA_HOME/conf/web.properties
.
Configuring an Existing EJBCA Installation
Step 1: | Set the environment variable |
---|---|
Step 2: | Configure cryptotoken.p11.lib.255.name=<label to identify the YubiHSM 2>
cryptotoken.p11.lib.255.file=/path/to/yubihsm_pkcs11.so
|
Step 3: | Re-deploy EJBCA and restart the application server. |
Step 4: | On EJBCA Adminweb, create a new CryptoToken:
|
Step 5: | On the command line, use the YubiHSM 2 Setup tool to generate keys on the YubiHSM 2, one at a time. |
Step 6: | On EJBCA Adminweb, deactivate and then re-activate the Crypto Token created in step 4. The new keys on the YubiHSM 2 are now ready to be used. |
Important
The slot number of the shared PKCS#11 library must be 0.