Create a Crypto Token

In this section, you will learn how to connect Keyfactor EJBCA to your Securosys HSM by adding the HSM as a "Crypto Token" to EJBCA.

Navigate to your EJBCA Admin Web interface: https://your-ejbca-server.example.com:8443/ejbca/adminweb. In the EJBCA menu, under "CA Functions", select "Crypto Tokens". Then select "Create new".

Specify the following values on the New Crypto Token page, depending on the API you are using:

PKCS#11 API

• Enter a name for the New Crypto Token.
• Select PKCS#11 NG from the type dropdown list.
• Select Auto-activation to keep the partition connected when EJBCA is restarted.
• Select P11 Proxy from the library dropdown list.
• Select Slot ID from the reference type dropdown list.
• Enter the slot reference, as defined in the primus.cfg file when you installed and configured the PKCS#11 Provider.
• Select Default from the attribute file dropdown list.
• Enter the PKCS#11 Password twice for the HSM partition.
• Click Save to create the New Crypto Token.

REST API

• Enter a name for the New Crypto Token.
• Select Securosys Primus HSM from the type dropdown list.
• Select the REST API authentication type based on your HSM setup — for example, use Bearer Token for Securosys CloudHSM or mTLS Certificate for on-premises Securosys Primus HSM.
• Enter the Securosys REST API URL.
• Based on your HSM setup, enter the Bearer Token or mTLS Certificate twice.
• Select Auto-activation to keep the partition connected when EJBCA is restarted.
• Click Save to create the New Crypto Token.

Your New Crypto Token is now available for use in EJBCA.

Next Steps

For more information on the EJBCA setup, best practices and how to generate key pairs, refer to Keyfactor EJBCA Documentation.