Creating a New Crypto Token in EJBCA

Point your browser to the EJBCA Admin Web interface. E.g.: https://your-ejbca-server.com:8443/ejbca/adminweb

In the EJBCA menu, under CA Functions, click Crypto Tokens.

Click Create new and specify the following on the New Crypto Token page, depending on which API you want to use to connect with the HSM:

PKCS#11 API

• Enter a name for the New Crypto Token.
• Select PKCS#11 NG from the type dropdown list.
• Select Auto-activation to keep the partition connected when EJBCA is restarted.
• Select P11 Proxy from the library dropdown list.
• Select Slot ID from the reference type dropdown list.
• Enter the slot reference, as defined in the primus.cfg file when you installed and configured the PKCS#11 Provider.
• Select Default from the attribute file dropdown list.
• Enter the PKCS#11 Password twice for the HSM partition.
• Click Save to create the New Crypto Token.

REST API

• Enter a name for the New Crypto Token.
• Select Securosys Primus HSM from the type dropdown list.
• Select the REST API authentication type based on your HSM setup — for example, use Bearer Token for Securosys CloudHSM or mTLS Certificate for on-premises Securosys Primus HSM.
• Enter the Securosys REST API URL.
• Based on your HSM setup, enter the Bearer Token or mTLS Certificate twice.
• Select Auto-activation to keep the partition connected when EJBCA is restarted.
• Click Save to create the New Crypto Token.

Your New Crypto Token is now available for use in EJBCA.

tip

For more information on EJBCA setup, best practices and how to generate key pairs, refer to Keyfactor EJBCA Documentation.