Published in


Fabric CA with SoftHSM integration

SoftHSM is a software implementation of a cryptographic device that allows us to create and manipulate cryptographic tokens. It is supported by a PKCS #11 interface (Crypto API) which allows us to use the content of the stored tokens in our applications.

SoftHSM will be used to store cryptographic key-pairs related to the PKI infrastructure because once inside of SoftHSM, then cryptographic material can never be taken out or viewed. Furthermore, SoftHSM brings all the security functionalities offered by a regular HSM except the physical security making it cost-effective in the sense of simplicity and maintainability.

Conclusively, it complies with security standards such as FIPS and uses strongly vetted libraries such as OpenSSL and BOTAN for cryptographic operations (SoftHSM is open source as well).

Setting up SoftHSM (UBUNTU Version):

  1. First we need to download the source:

2. Next we need to extract the content of the source:

tar -xzf softhsm-2.3.0.tar.gz

3. Now there should be a configuration script that should be run to check for dependencies:


4. At this point it is time to compile the project using the make command:


5. SoftHSM Is now ready to be installed on the system:

sudo make install

6. Use the command below to initialize a token using:

softhsm2-util — init-token — slot <insert slot number> — label <“insert label name”>

7. Set a SO Pin. This password is used for reinitialization purposes of the token:

<insert desired password> x2

8. Set a User Pin. This password is used for applications to interact with the token content:

<insert desired password> x2

9. The SoftHSM token can now be used to store and use cryptographic material privately.

The cryptographic material stored in a SoftHSM token, is stored securely and locked as a shared object library file. This file can commonly be found at /usr/local/lib/softhsm/ file path. The token files can next be duplicated and stored on a USB to create a backup of the token and this USB should be stored securely in a bank vault or similar.

Non Root User:
For security best practices, it is never a great idea to have a root user on a system but privileged users with the appropriate permissions instead.

To use SoftHSM properly as a non-root user, a few configurations must be done in advance. This is because by default the software is trying to access a token storage destination where the permission is limited to the root user and associated groups. Ownership/Permission of the token storage destination is not enough and instead, the below process is required:

cd $HOMEmkdir -p $HOME/lib/softhsm/tokenscd $HOME/lib/softhsm/echo “directories.tokendir = $PWD/tokens” > softhsm2.confexport SOFTHSM2_CONF=$HOME/lib/softhsm/softhsm2.confsofthsm2-util — init-token — slot <insert slot number> — label <“insert label name”>

Fabric CA:
Fabric CA is used as a certificate authority to connect to LDAP as the user registry and to manage various network-related tasks.

Setting up a SoftHSM Configured Fabric CA:
Once the SoftHSM token has been set up, then the Fabric CA needs to be configured to utilize it for cryptographic key-pair generation and utilization.

There are two ways this can be achieved. The environment variables can be configured or the associated config file in the BCCSP section.

However, first, a customized Fabric CA image must be built since the exiting prebuilt images do not offer support for PKCS#11 by default. As a result, PKCS#11 needs to be enabled in a custom Fabric CA image using the following command:

make docker GO_TAGS=pkcs11

For OSX, to manage the dependecies of gnu-tar and libtool, please use the following commands before building the fabric-ca image.

brew install gnu-tarbrew install libtoolexport PATH=”/usr/local/opt/gnu-tar/libexec/gnubin:$PATH”

Once that has been done, then the required SoftHSM utilization configurations should be applied to the BCCSP section of the Fabric CA server configuration file:

Alternatively, the relevant fields can be overridden using environment variables as following:

FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.soFABRIC_CA_SERVER_BCCSP_PKCS11_PIN=<insert user pin>FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=<insert label name>

Now Fabric CA has been configured to use SoftHSM for cryptographic key-pair storage and operations. The keys can never leave the isolated enclave but it is possible to use the keys privately. Conclusively, It might be necessary to check how the Fabric CA is instantiated in the NODE-SDK nonetheless.




We share, we grow together.

Recommended from Medium

Azure Data Studio — Create table

Azure Data studio download

Protect Private Content S3 using AWS CloudFront

Algorithm Challenge: Sum of Two

How To Build an Image Crawler Without Coding

Build a chatroom with Nearby Messages

How to Choose the Right Web Development Pricing Model?

Improving ForgeOps disk performance and security on AWS EKS

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bibek Koirala

Bibek Koirala

A blockchain dev | Zilliqa Developer Ambassador | RedChillies Labs, Inc. | Pastel Soft | JS Security Technologies | AART

More from Medium

ElastiCache Security Options

A Review of Distributed Architecture for 5G Networks Using Blockchain

Working with Hyperledger Fabric v2.2

Our Investment in Ottertune: AI automated Database optimisation platform