PKCS11 is a standard that defines platform-independent API to cryptographic tokens such as hardware security modules. SoftHSM is a software implementation of cryptographic store accessible through PKCS11 interface. The SunPKCS11 provider implements bridge between JCE and PKCS11 interface for application to use. There are various tools available for initializing tokens, generating keys and certificates. The private keys in PKCS11 token is not extractable there by providing extra security.
In case of softhsm, the keys are stored on disk either in file or database depending on the configuration. The token slots is initialized using the softhsm utility.
softhsm2-util --init-token --slot 0 --label "My token 1" --pin <user pin> --so-pin <so pin>
The SunPKCS11 provider uses input configuration file to load the token library, the token slot to use and associates name.
$ cat pkcs11.cfg
name = pkcs11Test
library = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
slot = 0
The SunPKCS11 provider is added to JRE with the above configuration to make it available to applications. Using keytool and SunPKCS11 interface, now key pair can be either imported or generated.
Importing:
keytool -importkeystore -deststorepass <password> -destkeystore NONE -srckeystore <client key pair> -deststoretype PKCS11 -srcstoretype PKCS12 -srcstorepass <source store password> -alias mykeyimport
Generating:
keytool -genkeypair -alias mykeygen -keyalg RSA -keystore NONE -storetype PKCS11
Once the keys are generated, CSR request can be generated using the command for CA to sign it.
keytool -certreq -alias <key pair alias> -keyalg RSA -file mydom.csr -keystore NONE -storetype PKCS11
Now the application can readily use the keys and certificates to authenticate, encrypt, decrypt verify and sign operations.