Crypto Tokens Overview

This overview provides information on what crypto tokens are, what they do and also lists crypto token fields.

For more information about how to manage crypto tokens, see Crypto Tokens Operations.

Description

Historically the term crypto token denotes the differentiation of a smart keycard and a slot reader, where the card and the slot from which it is read are not permanent.

images/download/thumbnails/75859421/CryptoToken.png

As the modern HSM became widely used, this model has become dated, but the terminology remains. The modern crypto token most often remains in the same memory area of the HSM (the two being one and the same), though while crypto token labels and slot indexes are always constant, slot numbering may vary. In EJBCA, the term crypto token means an area of memory containing keys, whether this is an HSM slot or a soft keystore created locally.

images/download/thumbnails/75859421/CryptoTokenSlot.png

Usage

Common for all EJBCA crypto tokens is that:

  • A crypto token may exist on one and only one slot.

  • A crypto token may contain any number of keypairs and aliases.

To this end, crypto tokens have several different applications in EJBCA:

Crypto Token Fields

Common Fields

Common fields for all crypto tokens:

Field

Description

Name

A user-friendly name for the Crypto Token.

Type

PKCS#11 HSM slot mapping or a Soft PKCS#12 keystore in the database.

Authentication Code

The PKCS#11 slot PIN or the password that will protect the soft keystore.

Repeat Authentication Code

Should be the same as the Authentication Code value.

Auto-activation

If the authentication code should be stored (encrypted) in the database and used to always keep the Crypto Token active.

Allow export of private keys

If selected, EJBCA will not try to prevent Soft Crypto Token keystore export.

Use explicit ECC parameters (ICAO CSCA and DS certificates)

Select to use the explicit ECC parameters. If cleared, the parameters are ignored.

images/s/-98b7og/8401/7d0034e810b0e95b8c0694abfaf748cf5135c15a/_/images/icons/emoticons/warning.svg Note that this is only applicable for ePassport ICAO CSCA and DS certificates.

PKCS#11 Fields

In addition to the common fields, the following fields are available if you have chosen to create a PKCS#11 crypto token:

Field

Description

PKCS#11 Library

PKCS#11 shared library configured as available in conf/web.properties.

PKCS#11 Reference Type

Type of a slot reference described by the PKCS#11 Reference (Id, Index or Label).

PKCS#11 Reference

PKCS#11 slot number, index or label.

PCKS#11 Attribute File

If required, this is a PKCS#11 attribute file configured as available in conf/web.properties. Note that this should only be required for non-common HSMs.

PKCS#11 may require additional configuration of your application server, see Application Servers.

For more information on PKCS#11 properties, see Hardware Security Modules (HSM). A unique Crypto Token identifier is generated when the token is created.

Crypto Token Authorization

For all authorized CA operations, authorization for underlying Crypto Token operations are implied. The minimum authorization required to create a CA is authorization to "view" and "use" (or "modify") a Crypto Token. Since modification of PKCS#11 Crypto Tokens can change the slot mapping, the same authorization for creation and modification are required.

The following lists the authorization rules:

Authorization Rule

Description

/cryptotoken/

Required for displaying the Crypto Token management in the Admin GUI.

/cryptotoken/view/cryptoTokenId

Required for viewing Crypto Token information and listing key pairs.

/cryptotoken/use/cryptoTokenId

Required for binding a Crypto Token to a CA.

/cryptotoken/modify/

Required for creating or modifying a Crypto Token.

/cryptotoken/delete/

Required for deletion of a Crypto Token.

/cryptotoken/activate/cryptoTokenId

Required for activation of a Crypto Token.

/cryptotoken/deactivate/cryptoTokenId

Required for de-activation of a Crypto Token.

/cryptotoken/keys/generate/cryptoTokenId

Required for key pair generation.

/cryptotoken/keys/remove/cryptoTokenId

Required for key pair removal.

/cryptotoken/keys/test/cryptoTokenId

Required for key pair testing.