Using HSMs
The EU policy requires using an HSM to protect the CAs signature keys. Depending on the algorithms chosen, you have different options and difficulties. Using PKCS#11 the Sun PKCS#11 provider only supports RSA with PKCS1 padding (SHA256WithRSA), and not PSS (SHA256WIthRSAAndMGF1). If using the PSS algorithms, you need to use the JDK patch by PrimeKey, or wait for a JDK where support for RSA-PSS in the Java PKCS#11 provider is included by default (JDK8u241 or JDK11.0.6 or later according to JDK-8080462).
For information on ECC support, consult with your HSM vendor.
Currently tested HSMs are Utimaco, SafeNet, and nCipher.
The following additional key properties are available (filled in the CAs token properties) when using an HSM controlling the use of the previous keys:
Property |
Description |
previousCertSignKey |
Alias of the previous signature key, as opposed to certSignKey which is the current signature key. |
previousSequence |
Sequence identifying the previous signature key, as opposed to the current sequence that is held in the CA token. This sequence will replace the current sequence in the caRef field when signing a request with the CAs previous key. |
nextCertSigningKey |
Alias of a newly generated key on the HSM. When updating a CA signed by an external CA this is used to send a request, but the CA is still active using the old key. When the certificate response is received, this key is activated and moved to certSignKey/crlSignKey. |
nextSequence |
The sequence identifying the next signature key. |
Normally these properties are set automatically when you generate new keys from the Admin GUI. If keys are generated manually, or if there is an issue, the properties can be modified or set manually.
Generating Keys
The EJBCA Client Toolbox tool (ejbcaClientToolBox.sh PKCS11HSMKeyTool) can be used for generating keys on an HSM.
cd dist/clientToolBox
./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /etc/utimaco/libcs2_pkcs11.so secp256r1 signKey 1
For more information on generating keys, see information on supported curves, refer to the documentation for your HSM. For example, for Utimaco documentation is found in chapter 8 of the CS_AdminGuide.pdf. Note that the Java PKCS#11 provider may not support all curves that your HSM supports.
To generate EC keys using the ejbcaClientToolBox.sh tool, a patch for JDK is needed due to a bug in JDK (see below).
Note that generation command may differ for different HSMs, see Hardware Security Modules (HSM). For example, use the following on the SafeNet ProtectServer Gold:
.
/ejbcaClientToolBox
.sh PKCS11HSMKeyTool generate
/slot1
.cfg secp256r1 signKey
Generating Keys using HSM Tools
Depending on your HSM, you may generate keys and the needed self signed certificate associated with it using HSM tools. For example for the SafeNet ProtectServer, see the HSM documentation in Hardware Security Modules (HSM).
Using EC Keys
For information on using HSMs and ECDSA, see Using ECDSA with an HSM.