Migrate CA to another HSM

[levlineko]

Hello,
It is possible to migrated CA from one model of HSM to another model of HSM without reissue CA certificate?
CA uses HSM PKCS#11 library for signing.
EJBCA is old version 3.10

[primetomas]

This all depends on your HSM. If you an export the private key from one HSM and import it into another HSM then yes you can do it. If the keys you have generated on the HSM can not be exported, then no it can not be done. This issue is not under the control of EJBCA, but how the keys were generated in the HSM from the start, and unfortunately the default is typically that keys can not be exported in a format that can be imported into another HSM.

But in EJBCA itself, yes you can switch a CA from one HSM to another. In newer versions of EJBCA there is a command line command for that so it can be easily done.

[levlineko]

Hi Tomas,
Thank you for your answer.
I am trying to test luna 7 hsm with ejbca 3.10.4.
Luna client is installed and initialisation paertition 0:
/usr/safenet/lunaclient/bin/vtl verify
vtl (64-bit) v10.4.1-7. Copyright (c) 2021 SafeNet. All rights reserved.

The following Luna SA Slots/Partitions were found:

Slot Serial # Label
==== ================ =====
0 1461480004528 SUBCA-DEV

When i try to generate key by ejbcaClientToolBox log on luna failed.
/opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/safenet/lunaclient/lib/sunpkcs11.cfg 4096 luna-hsm-key
2022-11-21 21:45:42,965 INFO [org.ejbca.util.keystore.KeyTools] Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
Command could not be executed. See log for stack trace.
2022-11-21 21:45:43,170 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command 'PKCS11HSMKeyTool generate /usr/safenet/lunaclient/lib/sunpkcs11.cfg null pkcs11 4096 luna-hsm-key' could not be executed.
java.security.KeyStoreException: KeyStore instantiation failed
at java.security.KeyStore$Builder$2.getKeyStore(KeyStore.java:1967)
at org.ejbca.util.keystore.KeyStoreContainerP11.getInstance(KeyStoreContainerP11.java:89)
at org.ejbca.util.keystore.KeyStoreContainerP11.getInstance(KeyStoreContainerP11.java:60)
at org.ejbca.util.keystore.KeyStoreContainerFactory.getInstance(KeyStoreContainerFactory.java:55)
at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:137)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:290)
at org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:47)
at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:38)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:64)
Caused by: java.io.IOException: load failed
at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:858)
at java.security.KeyStore.load(KeyStore.java:1479)
at java.security.KeyStore$Builder$2$1.run(KeyStore.java:1937)
at java.security.KeyStore$Builder$2$1.run(KeyStore.java:1918)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.KeyStore$Builder$2.getKeyStore(KeyStore.java:1964)
... 8 more
Caused by: javax.security.auth.login.FailedLoginException
at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1340)
at sun.security.pkcs11.P11KeyStore.login(P11KeyStore.java:876)
at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:849)
... 13 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT
at sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method)
at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1328)
... 15 more

My sunpkcs11.cfg is as admin guide:
cat /usr/safenet/lunaclient/lib/sunpkcs11.cfg
name=Luna
library=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
#library=/usr/lib/pkcs11-spy.so
slot = 0

attributes(generate,,) = {
CKA_TOKEN = true
}
attributes(generate,CKO_PUBLIC_KEY,) = {
CKA_ENCRYPT = true
CKA_VERIFY = true
CKA_WRAP = true
}
attributes(generate, CKO_PRIVATE_KEY,) = {
CKA_EXTRACTABLE = false
CKA_DECRYPT = true
CKA_SIGN = true
CKA_UNWRAP = true
}

Can you help me to solve this problem, please?

Best regards

[primetomas]

You said migrate from one HSM to another. What is the first HSM and what is the second?

EJBCA 3.10 is way to old btw, you will not find modern platforms to run it on. Upgrade and you'll be able to do anything you want. There is help available...

CKR_PIN_INCORRECT is the message from the HSM, it means the HSM slot PIN is incorrect.

[levlineko]

First HSM is nShield connect 6000+. Works fine with 3.10.
The second HSM is Luna 7 with luna client software 10.4.
What version on luna client software supported by EJBCA 3.10?
At the moment we haven't got problems with nShield and Utimaco.

[mike-agrenius-kushner]

Yeah, as Tomas said...3.10 is about 13+ years old, there is now way we can give any support on that. You'll have to upgrade before we can give any advice.

[primetomas]

3.10 is only 12.5 years old :-).
https://doc.primekey.com/ejbca/ejbca-release-information/ejbca-release-notes/ejbca-change-log-summary#EJBCAChangeLogSummary-EJBCA3.10.0

There are several options to get to the last release, without downtime if you want.