Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

PreviousNextUp[Front page] [Index]

Adding PKCS #11 Modules to the Certifier Engine

PKCS #11 modules are added to SSH Tectia Certifier by editing the configuration file of the SSH Tectia Certifier engine. The configuration file is named engine.conf and it can be found under the SSH Tectia Certifier installation directory in the conf sub-directory (for example, /usr/local/certifier/conf/engine.conf on Linux).

The PKCS #11 module configuration is in the top level of the ca-engine block (as a commented-out example in the default file indicates). On Unix, the following example adds an Eracom PKCS #11 module to the engine installation.

  (provider (type "pkcs11")
            (library "/opt/ERACcpsdk/lib/linux-i386/")
            (info "read-only(no)")))

On Windows, the following example adds an nCipher PKCS #11 module. Note that the backslash characters in the path need to be escaped.

provider  (type "pkcs11") 
             (library "C:\\nfast\\bin\\cknfast.dll") 
             (info "read-only(no) threads(no)")) 

The information which needs to be changed is the path to the dynamically loaded PKCS #11 DLL (in Windows) or a shared object in Unix.

The default location for the PKCS #11 modules in Windows are:

  • nCipher: c:\nfast\bin\cknfast.dll
  • Eracom: c:\Program Files\ERACOM\CProv Runtime\cryptoki.dll

In Unix systems the defaults are:

  • nCipher: /opt/nfast/gcc/lib/
  • Eracom: /opt/ERACcpsdk/lib/linux-i386/

Note: When the info parameter is set to "read-only(no)", keys can be created via the PKCS#11 interface. If the read-only option is missing, or it is set to "read-only(yes), only existing keys can be used via the PKCS#11 interface. In addition, "threads(no)" has to be added under info when an nCipher module is used on Linux platforms.

Once the PKCS #11 modules are added to SSH Tectia Certifier Engine, the Engine needs to be restarted. To check whether the Engine has detected the installed PKCS #11 keys, log in to the Administration Service, and click System Configuration. Click Show CA Passphrase Status. The created PKCS #11 keys should be visible in the appearing key list.

PreviousNextUp[Front page] [Index]