Using HSMs

The EU policy requires using an HSM to protect the CAs signature keys. Depending on the algorithms choosen, you have different options and difficulties. Using PKCS#11 the Sun PKCS#11 provider only supports RSA with PKCS1 padding (SHA256WithRSA), and not PSS (SHA256WIthRSAAndMGF1). If using the PSS algorithms, you need to use the IAIK PKCS#11 provider.

For information on ECC support, consult with your HSM vendor.

Currently tested HSMs are Utimaco, SafeNet, and nCipher.

The following additional key properties are available (filled in the CAs token properties) when using a HSM controlling the use of the previous keys:




Alias of the previous signature key, as opposed to certSignKey which is the current signature key.


Sequence identifying the previous signature key, as opposed to the current sequence that is held in the CA token. This sequence will replace the current sequence in the caRef field when signing a request with the CAs previous key.


Alias of a new generated key on the HSM. When updating a CA signed by an external CA this is used to send a request, but the CA is still active using the old key. When the certificate response is received this key is activate and moved to certSignKey/crlSignKey.


The sequence identifying the next signature key.

Normally these properties are set automatically when you generate new keys from the Admin GUI. If keys are generated manually, or if there is an issue, the properties can be modified or set manually.

Generating Keys

The EJBCA Client Toolbox tool ( PKCS11HSMKeyTool) can be used for generating keys on an HSM.

cd dist/clientToolBox
./ PKCS11HSMKeyTool generate /etc/utimaco/ secp256r1 signKey 1

For more information on generating keys, see information on supported curves, refer to documentation for your HSM. For example, for Utimaco documentation is found in chapter 8 of the CS_AdminGuide.pdf. Note that the Java PKCS#11 provider may not support all curves that your HSM supports.

To generate EC keys using the tool, a patch for JDK is needed due to a bug in JDK (see below).

Note that generation command may differ for different HSMs, see Hardware Security Modules (HSM). For example, use the following on the SafeNet ProtectServer Gold:

./ PKCS11HSMKeyTool generate /slot1.cfg secp256r1 signKey

Generating Keys using HSM Tools

Depending on your HSM, you may generate keys and the needed self signed certificate associated with it using HSM tools. For example for the SafeNet ProtectServer, see the HSM documentation in Hardware Security Modules (HSM).

Using EC Keys

For information on using HSMs and ECDSA, see Using ECDSA with an HSM.