I have already followed all the steps to create a cryptotoken with yubihsm2, even using clientToolBox I can see the slot and the tokens in the console but when trying to create the cryptotoken in ejbca it does not allow me, I wanted to know if I could get more information apart from what it has yubico on his website
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Not that I know of. What do you mean with does not allow? If it works in clientToolBox it usually means it works in EJBCA.
You can continue the discussion at GitHub: https://github.com/Keyfactor/ejbca-ce/discussions
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I already created the asymmetric key, and the attestation certificate with the requested capabilities, I already included the library in the ejbca configuration file so that I can see the library when creating the crypto token but when I am going to create it following the steps as is it gives me an error.
I also tried to create it with clientool box and i have the next error
root@criptografia:/opt/ejbca_ce_7_4_3_2/dist/clientToolBox# ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so secp256r1 defaultKey 0
Using Slot Reference Type: Slot Number.
Contraseña del Token PKCS11 [SunPKCS11-yubihsm_pkcs11.so-slot0]:
Command could not be executed. See log for stack trace.
2023-02-15 15:24:04,803 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command 'PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so secp256r1 defaultKey 0' could not be executed.
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:424)
at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:697)
at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:453)
at org.cesecore.keys.util.KeyStoreTools.generateEC(KeyStoreTools.java:252)
at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:364)
at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:243)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:730)
at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:416)
... 8 more
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have already followed all the steps to create a cryptotoken with yubihsm2, even using clientToolBox I can see the slot and the tokens in the console but when trying to create the cryptotoken in ejbca it does not allow me, I wanted to know if I could get more information apart from what it has yubico on his website
Not that I know of. What do you mean with does not allow? If it works in clientToolBox it usually means it works in EJBCA.
You can continue the discussion at GitHub: https://github.com/Keyfactor/ejbca-ce/discussions
I already created the asymmetric key, and the attestation certificate with the requested capabilities, I already included the library in the ejbca configuration file so that I can see the library when creating the crypto token but when I am going to create it following the steps as is it gives me an error.
I also tried to create it with clientool box and i have the next error
root@criptografia:/opt/ejbca_ce_7_4_3_2/dist/clientToolBox# ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so secp256r1 defaultKey 0
Using Slot Reference Type: Slot Number.
Contraseña del Token PKCS11 [SunPKCS11-yubihsm_pkcs11.so-slot0]:
Command could not be executed. See log for stack trace.
2023-02-15 15:24:04,803 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command 'PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so secp256r1 defaultKey 0' could not be executed.
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:424)
at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:697)
at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:453)
at org.cesecore.keys.util.KeyStoreTools.generateEC(KeyStoreTools.java:252)
at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:364)
at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:243)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:730)
at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:416)
... 8 more
Continuing at GitHub.