pkispawn’ with Custom Configuration | Utimaco Integration Guides

In order to use the HSM, CryptoServer-specific information must be supplied to the pkispawn application. This is done by overriding several default values via a custom configuration file.

The following file represents the minimum parameters required to allow use of the CryptoServer.

If you want to further configure the CA to your specific needs, consult the official Red Hat documentation. Advanced configuration is outside the scope of the Utimaco Integration Guide series; Utimaco System Engineering will not be able to discuss which extended configurations may be of use in our local environment, nor how they may or should be configured, or what side-effects may result with their use.

Create the following file:

[DEFAULT]
pki_admin_password=verysecurepassword
pki_ds_password=verysecurepassword
pki_client_pkcs12_password=verysecurepassword
 
# Provide HSM parameters
pki_hsm_enable=True
pki_hsm_libfile=/opt/cs/PKCS11_R2/libcs_pkcs11_R2.so
pki_hsm_modulename=UtimacoCryptoServer
pki_token_name={p11_slot_label}
pki_token_password=123456
 
# Provide PKI-specific HSM token names
pki_audit_signing_token=pki_audit_signing_token
pki_ssl_server_token=pki_ssl_server_token
pki_subsystem_token=pki_subsystem_token
 
[CA]
# Provide CA-specific HSM token names
pki_ca_signing_token=pki_ca_signing_token
pki_ocsp_signing_token=pki_ocsp_signing_token

Edit the file to suit your needs, then run

>_Console

pkispawn -s CA -f pkispawn.conf

After the successful installation, verify that the keys were created in the HSM. Do so for example by running p11tool2.

>_Console

root@ns1# p11tool2 slot=0 LoginUser=123456 ListObjects
...

You now have a running, HSM-backed CA.