Is it possible to delete a Crypto Token without deleting the CA?

[danieltrick]

We have an "old" CA in EJBCA that is already expired and that is bound to an "old" Crypto Token (HSM). Our "current" CA uses a completely different and new Crypto Token; the "old" HSM is not used anymore. Still, as we have noticed, EJBCA won't work correctly unless all Crypto Tokens are online and reachable – even when they are not really used/needed in operation! This means that we have to keep the "old" HSM up and running, just to ensure that EJBCA is working correctly, even though we would like to get rid of the "old" HSM.

Now here is the question: Is it possible to delete the "old" Crypto Token (HSM) from EJBCA, so that we don't depend on it for operation anymore, but still keep the "old" CA in EJBCA? We need to keep the old CA for archival purposed, by the way.

So far, I have not dared to just click the "Delete" button beneath the "old" Crypto Token, because I fear it could either delete the CA along with it, or leave the EJBCA instance in a broken state. What would happen if I just deleted the Crypto Token?

---

BTW: If the "old" Crypto Token (HSM) is not reachable, Admin GUI shows it as "Off-line" and also the Admin GUI loads very slow. But the real problem is that sending CMP requests to the EJBCA fails with error 500 (internal error) – even though those CMP requests only concern the "new" CA, whose Crypto Token is definitely up and working. So, the absence of the "old" HSM breaks operation of an unrelated CA 😩

[primetomas]

Unused crypto tokens should not affect anything else. It works for me, I always have a ton of non-working crypto tokens. You should always only have one crypto token for each slot on an HSM, never have two different crypto tokens pointing to the same slot.
Deleting unused crypto tokens are perfectly safe, I do it all the time. For crypto tokens that you don't use, don't have auto-activation enabled.

[primetomas]

The error is from your client that cays connection can not be established. Is there any error in the EJBCA server log?

[dEajL3kA]

Yes, the WildFly/EJBCA server has a TLS certificate.

The client program has the required Cert-Chain in its TrustStore, and it also has a Client-TLS-Auth-Cert, as required.

There is no problem with the HTTP/TLS connection between the client and the WildFly/EJBCA server. It has been working like this for years. The problem is that EJBCA responds with error 500, as soon as not all Crypto Tokens are reachable. Even if an "old" token, which is effectively unused, is unreachable, then EJBCA stops functioning properly. That's we would like to get rid of the old token.

[danieltrick]

Is there any error in the EJBCA server log?

Can't access the logs right now, but I remember seeing some PKCS#11 related exceptions (CKR_*_ERROR) in the WildFly/EJBCA log file.

[primetomas]

Upgrade, and delete those crypto token. Works for me :-)