EzSign Thales nCipher HSM Integration

EzSign can make use of any HSM that supports the PKCS#11 interface.  The steps to configure EzSign for use with an HSM are simple and are outlined below but before any confguration takes place, the following pre-requisites must be in place: 

  • The HSM must be networked, configured and the Security World must be loaded
  • The local HSM client software must be installed and the HSM must be enrolled
  • Any passwords (such as the operator cardset password) must be available

 To confirm that the server can see and communicate with the HSM run the enquiry command e.g. C:\nCipher\nfast\bin\enquiry.exe

This will output details about the HSM, cardsets and the status


EzSign Server Configuration

Edit the server.properties file and add a new channel as shown below:


The key points to note are:

The channel number (e.g. channel.1) increments for every channel, so if you have any previous channels configured (which you wish to retain) then the number should be incremented (e.g. if you had settings for channel.1 already, then these settings would all start channel.2)

The tokenType is PKCS11

The token.password value should be blank for now, as we will set this later

The value for token.pkcs11.library should be the PKCS#11 library.  You should reference the 32 or 64 bit versions depending on the host system

The value for token.pkcs11.slot depends on how your HSM has been setup.  Usually the module is at slot 0, and operator card sets at slot 1, 2...etc.  Usually slot 1 refers to the operator card set if only one has been created

Other options can be altered as required


Configure Passwords

Next start the EzSign Management utility (ezsign-manage.bat [properties file]).  Enter the master password and choose option 1.  Follow the prompts which require you to set the master password again, then the token password.  in this instance the token password will be the HSM password.  If an operator card set has been created this will be the passphrase associated with that cardset (set when the cardset is created)

The utility will prompt to save the updated file

This will result in the token.password setting being populated with the encrypted password

Exit the utility


Generate CSR

When ready to generate a CSR, start the Management utility and choose option 2 to Generate a CSR.  This will be the same process as when software CSRs are generated.  Note, that the token password will be the operator cardset password for the HSM

Once the CSR has been generated, send this to the CA and obtain the certificates as .cer files.  Obtain the entire chain (issued end-entity certificate plus any intermediates and the root).  Import via the Management utility using option 4

When the end-entity certificate has been imported you will be prompted whether you wish to set this as ths signing key.  Choose yes, and the properties file will be updated, populating the signature.keyId value


Run the Server

Assuming all steps were succesfull and the HSM is operational the server can now be started and signing operations should use the key generated on the HSM



Contact Us

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Call: 020 8938 3616

Sales & Support

Should you need any help with any of Krestfield's products, or wish to make any suggestions, please contact us.

Sales: sales@krestfield.com

Support: support@krestfield.com

Latest News


Version 1.1.0 released


Version 3.1.0 released


Our Mission

To create secure, highly available, easy to use products that are priced fairly

Please publish modules in offcanvas position.