YubiHSM 2 for EJBCA Deployment Guide: Securing PrimeKey EJBCA with YubiHSM 2

This guide is intended to help systems administrators deploy YubiHSM 2 with YubiHSM PKCS11 Library for use with PrimeKey EJBCA in a Linux server environment. The expected outcome is that the EJBCA Certification Authority (CA) root key is created securely on a YubiHSM 2 and that a hardware‐based backup copy of key materials has been produced.


These guidelines for deployment cover basic topics, and the reference system is based on a downloadable EJBCA test environment, so the instructions should be modified as required for your specific environment. It is assumed that the installation is performed on a single server destined to become a Certificate Authority root. It is also assumed that you are familiar with the concepts and processes for working with PrimeKey EJBCA.


Furthermore, this guide focuses on how to deploy EJBCA with YubiHSM 2 in a Linux server environment. For information on how to install EJBCA on a Windows Server platform, see the EJBCA installation guidelines.


We recommend that you use this guide for installing and testing the EJBCA installation and setup of the YubiHSM 2 in a test or lab environment before deploying to production. For guidance on setting up a PKI using EJBCA in a production environment, see PrimeKey’s EJBCA documentation space.


Scenario: In an EJBCA PKI environment, the CA root key must be protected in hardware.


Benefits: YubiHSM 2 guards the CA root key and protects all signing and verification services using the root key.