enterprise

Overview

Fortanix Data Security Manager (DSM) HSM is a cloud-based HSM service provided by Fortanix. Keys are stored in the FIPS 140-2 Level 3 certified HSM and cryptographic operations are securely executed within the module.

The Fortanix Crypto Token implements support for Fortanix DSM via its REST API and is authenticated using an API key.

CRYPTOTOKEN_IMPLEMENTATION=org.signserver.server.enterprise.cryptotokens.FortanixCryptoToken

Available Properties

Property

Description

Required

DEFAULTKEY

The key alias of the private key to be used for testing that this crypto token is working.

(varning) If this key does not exist, the crypto token/worker will show as OFFLINE even if it has been activated. This is typically the case when the crypto token has been set up for the first time and the key has not yet been generated. To resolve, generate a key with the key alias name.

A property with this name is typically also accepted by the worker using this crypto token and will then be the key to use for actual signing.

(bock)

NEXTCERTSIGNKEY

A property with this name is typically configured in the worker using this crypto token to hold the name of the next key to use.  Certificate signing requests (CSR) can be made for this key while the current key (DEFAULTKEY) is still in production. After uploading the new certificate the value of NEXTCERTSIGNKEY can be moved to DEFAULTKEY.


PIN

Authentication code for activation. Only required for auto-activation and is not required when the token is manually activated.

Use the API key as the authentication code.


FORTANIX_BASE_ADDRESS

Optional base URL for the Fortanix DSM REST endpoint. Default: https://apps.smartkey.io


Know Limitations

The following lists limitations of the current implementation.

  • Import of certificate in token is not supported for this crypto token.
  • The Fortanix Crypto Token does not provide any certificates and cannot be used with signers that require a certificate from the token such as OpenPGP-based signers. For details on PGP signing support, refer to DSS-2127.

For information on supported algorithms, see Algorithm Support.