PKCS#11 Proxy to use with EJBCA

Help
Roman
2014-06-18
2014-07-01
  • Roman
    Roman
    2014-06-18

    Guys,

    do you know about some PKCS#11 proxy that could be used with EJCBA?

    My situation is that I have a USB attached PKCS#11 enabled cryptographic device and EJBCA is installed on different machine. The only way how to access the USB device is through network.

    Is it possible?

     
  • PrimeKey has a P11 proxy, and I have seen from some other company as well. I do not know of any open source ones.

    Cheers,
    Tomas

     
  • Roman
    Roman
    2014-06-19

    And I assume that there is no way how to get your P11 proxy without paid support... :)

    I tried to google a while for it and I found the following:
    - PKCS#11 Proxy from Gnome Keyring project (http://floss.commonit.com/pkcs11-proxy.html)
    - caml-crush filtering PKCS#11 Proxy (https://github.com/ANSSI-FR/caml-crush)

    Basically I can use my PKCS#11 middleware through network but in both cases I can't generate for example RSA key pair due to some RPC errors...so I think it wouldn't be usable without some debugging and modifications.

    But thanks I will try to fight with these open source proxies...

     
  • And I assume that there is no way how to get your P11 proxy without paid
    support... :)

    Correct. EJBCA needs support from large organizations in order to survive and evolve.

    Cheers,
    Tomas

     
  • Roman
    Roman
    2014-07-01

    Now the caml-crush filtering PKCS#11 Proxy (https://github.com/ANSSI-FR/caml-crush) is fixed and it can be used as a PKCS#11 proxy.

    It is open source and have a very good security featrues. I tested it with EJBCA and everything works great.