The QxHSM is a dedicated hardware security module (HSM). EJBCA integrates with QxHSM using the PKCS#11 API. This includes post-quantum algorithms ML-DSA and LMS (since EJBCA 9.3 and QxHSM 4.4.0.614).

The integration with QxHSM is tested with PKCS#11 NG (PKCS#11 NG Crypto Token in EJBCA Enterprise). It has not been thoroughly tested with the Java PKCS#11 provider, although it may work. Using P11NG post-quantum algorithms are also supported.

Installation and Configuration

Follow the Crypto4A installation instructions to use the QxHSM. To access a network based (cloud) QxHSM you typically set a few environment variables:

export C4A_PKCS11_HSM_CLIENT=rest
export C4A_PKCS11_KEYMAN_PORT=8106
export C4A_PKCS11_KEYMAN_ADDR=klondike10.crypto4a.com
export C4A_PKCS11_LOG_LEVEL=error
export C4A_PKCS11_LOG_FILENAME=./p11.txt

Using the HSM

Using the QxHSM is easy, you can use the p11ng-cli, or the Admin UI. The normal slot password is hidden by the configuration of the QxHSM and if prompted you can type any random string for activation. Some sample P11NG CLI commands:

./p11ng-cli.sh showinfo --lib-file /usr/local/share/lib/c4a-pkcs11/libpkcs11.so
./p11ng-cli.sh showslotinfo --lib-file /usr/local/share/lib/c4a-pkcs11/libpkcs11.so --slot 5
./p11ng-cli.sh showtokeninfo --lib-file /usr/local/share/lib/c4a-pkcs11/libpkcs11.so --slot 5
./p11ng-cli.sh listobjects --lib-file /usr/local/share/lib/c4a-pkcs11/libpkcs11.so --slot-ref SLOT_NUMBER --slot 5
./p11ng-cli.sh generatekeypair --lib-file /usr/local/share/lib/c4a-pkcs11/libpkcs11.so --slot-ref SLOT_NUMBER --slot 5 --alias mldsa44_1 --key-spec ML-DSA-44
./p11ng-cli.sh signperformancetest --lib-file /usr/local/share/lib/c4a-pkcs11/libpkcs11.so --slot 5 --alias mldsa44_1 --signature-algorithm ML-DSA-44 --time-limit 5000
./p11ng-cli.sh listkeypairs --lib-file /usr/local/share/lib/c4a-pkcs11/libpkcs11.so --slot-ref SLOT_NUMBER --slot 5

In the Admin UI it looks like this, if the PKCS#11 driver is installed i one of the standard locations, /usr/local/share/lib/c4a-pkcs11/libpkcs11.so or C:/Windows/System32/Pkcs11.dll.

Screenshot from 2025-06-06 12-13-59.png

For more information about crypto tokens, used for storing cryptographic keys in EJBCA, see Crypto Tokens Overview.