Configuring HSM Connection - dogtagpki/pki GitHub Wiki
To check HSM configuration in the NSS database:
$ modutil -dbdir /var/lib/pki/pki-tomcat/conf/alias -list
To add nFast HSM module:
$ modutil \ -dbdir /var/lib/pki/pki-tomcat/conf/alias \ -nocertdb \ -add nfast \ -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \ -force
To add LunaSA HSM module:
$ modutil \ -dbdir /var/lib/pki/pki-tomcat/conf/alias \ -nocertdb \ -add lunasa \ -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so \ -force
The HSM password is stored in /var/lib/pki/pki-tomcat/conf/password.conf
:
hardware-<token>=<password>
The configuration for SSL server certificate is stored in /var/lib/pki/pki-tomcat/conf/serverCertNick.conf
:
<token>:sslserver
The configuration for CA system certificates is stored in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
:
ca.cert.audit_signing.nickname=<token>:ca_audit_signing ca.cert.ocsp_signing.nickname=<token>:ca_ocsp_signing ca.cert.signing.nickname=<token>:ca_signing ca.cert.sslserver.nickname=<token>:sslserver ca.cert.subsystem.nickname=<token>:subsystem ca.audit_signing.tokenname=<token> ca.ocsp_signing.tokenname=<token> ca.signing.tokenname=<token> ca.sslserver.tokenname=<token> ca.subsystem.tokenname=<token> cloning.module.token=<token> log.instance.SignedAudit.signedAuditCertNickname=<token>:ca_audit_signing