EJBCA / Entrust HSM with FIPS 140-2 level 3 security world #281
Replies: 2 comments 1 reply
-
Is there something in particular needed to get EJBCA to honour this setting? I'm using a Bitnami-based Docker image, with /opt/bitnami/ejbca/conf/cesecore.properties containing: However, the "Signature algorithm 'SHA1WithRSA' not working for provider" errors remain unchanged. Using the same setup, I can however create EC keys via the EJBCA GUI and CLI. |
Beta Was this translation helpful? Give feedback.
-
PS: when it comes to HSMs in FIPS mode I can recommend this Keymasters video that discusses this specific topic. |
Beta Was this translation helpful? Give feedback.
-
Interesting topic to have searchable here. https://sourceforge.net/p/ejbca/discussion/123122/thread/cce1d6546a/
Hi,
We have come across some difficulties accessing operations on the HSM when trying a FIPS 140-2 level 3 security world. When using a common criteria security world everything worked fine. Creating a crypto token works ok, and when generating an e.g RSA 4096 bit key it is generatet but the EJBCA gui displays 'Error: Result from signing is null.' From the log it appears that EJBCA cannot find a valid signature algorithm to use:
The solution is to change a setting in EJBCA that can be set in conf/cesecore.properties called.
pkcs11.disableHashingSignMechanisms
By setting this to false that specific CKM_RSA_SHA256 etc mechanisms will be used instead. This causes the full objects-to-be-signed to be sent to the HSM though, which typically is a lot slower.
Beta Was this translation helpful? Give feedback.
All reactions