Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-4264

Ability to generate link certificate from key on HSM

    Details

    • Issue discovered during:
      Customer

      Description

      When migrating from a non-EJBCA CA it is useful to be able to create a link certificate by accessing the HSM directly, in case the old CA software is not able to produce the link certificate for some reason (e.g. it might need an extension, such as the name change extension).

      There's already a patch, it just needs to be checked in to SVN.

      Here's how to use the functionality:

      $ java -jar dist/clientToolBox/clientToolBox.jar PKCS11HSMKeyTool
      linkcert /opt/ETcpsdk/lib/linux-x86_64/libcryptoki.so
      SLOT_LABEL:nameofslot CSCA_OLD.cacert.pem CSCA_NEW.cacert.pem
      CSCA_link.crt cscaSignKey

      You need binary certificates (.cvcert) for the CVCA and PEM certificates
      for the X509 CA. The certificate type (CVC/X509) is automatically
      detected. The output is always in binary format (CVCERT or DER)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              samuel Samuel Lidén Borell
              Reporter:
              samuel Samuel Lidén Borell
              Verified by:
              Mike Agrenius Kushner
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: