See below for instructions on creating the administrator profile on HSM (Hardware Security Module).

Configuring the PKCS#11 path

Edit the entrust.ini configuration file to add the PKCS#11 path under the [Entrust Settings] section. See below for the path corresponding to each provider.

Thales Luna
CryptokiV2Library=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
Entrust nShield
CryptokiV2Library=/opt/nfast/toolkits/pkcs11/libcknfast.so

Running the Profile Creation Utility

See below for instructions on how to run the Profile Creation Utility to create an administrator profile on HSM. 

To create a profile on HSM with the Profile Creation Utility

  1. Run the CA Gateway Profile Creation Utility. 
    • Run bin/pcu.sh on Linux.
    • Run bin\pcu.bat on Windows.
  2. Confirm you are on the main menu of the PCU. 
    Main Menu
    1. Exit
    2. Help
    3. Create Entrust profile
    4. Recover Entrust profile
    5. Inspect Entrust profile (read only)
    6. Inspect and update Entrust profile (read/write)
    7. Create Server Login credentials
    8. Create PKCS #12 file (Security Manager)
    9. Recover PKCS #12 file (Security Manager)
    10. Create PKCS #12 file (3rd Party)
    11. Update PKCS #12 file (3rdParty)
    12. Process PKCS #10 Certificate Signing Request (CSR)
    13. Generate/Process Certificate Signing Request on HSM (3rd Party) 14. Change password
    Select an operation [3]:
  3. Select option 3 for Create Entrust profile.
  4. Select option 2 for Hardware token.
  5. In Take settings from an existing entrust.ini file (y/n)?, enter y for yes.
  6. In Enter full path to entrust.ini, enter the path of the local, edited entrust.ini file. 

  7. In Enter token slot number, enter the slot number of the desired slot. 

    We recommend creating the enrollment agent credentials in a PKCS#11 HSM.

  8. In Enter reference number, enter the reference number given by the Security Manager Administration when creating the user.
  9. In Enter authorization code, enter the authorization code given by the Security Manager Administration when creating the user.
  10. In Enter profile name, enter a file name for the auxiliary profile file. 
  11. In Enter auxiliary profile directory, enter the directory for the auxiliary profile file. The name of this file is the name previously entered in Enter profile name.

  12. In Enter hardware token password,  enter the password of the HSM slot. 

    Use different passwords for users in different slots. That can help avoid accidentally overwriting a slot already used for a different user.