AWS CloudHSM

ENTERPRISE This is an EJBCA Enterprise feature.

AWS Cloud HSM is a cloud-based HSM service in the Amazon Web Services. The CloudHSM uses FIPS 140-2 Level 3 certified Cavium/Marvell HSMs in the backend and is accessible using the PKCS#11 API. Custom modules are needed for full EJBCA support of the CloudHSM, and this is supported in the EJBCA Cloud.

For step-by-step instructions on how to integrate EJBCA Enterprise Cloud with AWS CloudHSM, see the AWS CloudHSM Integration Guide and for more information on the EJBCA Cloud product, see EJBCA Enterprise Cloud on the PrimeKey website.

There are a few functional limitations when using AWS CloudHSM PrimeKey version with the Java PKCS#11 provider (called PKCS#11 in the Admin UI), due to the PKCS#11 integration between the currently used Java PKCS#11 Provider and the Liquidsec PKCS#11 driver.

• Key generation in the EJBCA Admin UI is not possible. ClientToolBox must be used to generate keys on AWS CloudHSM

• Deleting keys using EJBCA tools (Admin UI, ClientToolBox) is not possible. Cavium tools, and deleting the certificate file from the file system, can be used to delete keys and objects.

Using PKCS#11 NG in EJBCA 7.5.0 and later has better native support for AWS CloudHSM, including key generation in the Admin UI.