Menu
▾
▴
Re: [Ejbca-develop] Issue with key escrow and Luna HSM
|
From: Tomas G. <to...@pr...> - 2013-07-29 13:07:10
|
Hi Bruno, Since it is key recovery I think you have been bit by https://jira.primekey.se/browse/ECA-2739. It is so that it tries to use PKCS#11 for the symmetric encryption as well, not only for asymmetric. So flags on your keys do not matter. Unfortunately symmetric ciphers on HSMs is a nightmare, where you have to code specifically for each HSM. So this might work with another HSM, but not the Luna. The solution was to use BC (soft) for the symmetric session keys and asymmetric (HSM) for session key wrapping. This requires a later version of BC than present in EJBCA 4, something that is a big task. So backporting the fix to EJBCA 4 is unfortunately not an option at this point. You best options currently might currently be: - Move to Enterprise Edition (CC certified EJBCA 5) - Use soft CA keys - Wait for EJBCA 6 (sometimes during autumn) Cheers, Tomas ********** PrimeKey Solutions AB Anderstorpsvägen 16, 171 54 Solna, Sweden Mob: +46 (0)707421096 Internet: www.primekey.se Twitter: twitter.com/primekeyPKI ********** On 07/29/2013 02:01 PM, Bruno Bonfils wrote: > Hello, > > I have an exception: "No key recovery data exists for user" when I try > to reissue a P12 keystore issued by a CA stored in a Luna HSM. The > entity is marked as 'Key recoverable' and status is set to 'Key > Recovery'. > > I also have the following error: > "sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT" > > Here the CA PKCS11 properties: > > sharedLib=/usr/lunasa/lib/libCryptoki2_64.so > slot=1 > certSignKey=key > crlSignKey=key > defaultKey=key > pin=<pin code> > > Any help will be appreciated! > > Best regards > |
