What is the "PKCS#11 NG" cryptotoken type?

[g3force]

Hi,

I stumbled upon a crypto token type called "PKCS#11 NG" in the Fortanix DSM documentation.

I could not find much information on this type of crypto token. Is this from the Enterprise / Cloud version? It is not available in the latest CE docker image and also not in GIT as far as I could see.

While I was able to use Fortanix SaaS with the "normal" PKCS#11 crypto token type in general, there are some features that are not working. I could only generate RSA keys, no ECDSA and could also not see keys imported from the Fortanix UI. So I was wondering, if the NG version may have better support.

Does anyone have some insights on this NG version?

Thanks,
Nicolai

[mike-agrenius-kushner]

Hi Nicolai,

So to begin with, the quick answer is that the P11NG provider is currently still only part of the Enterprise edition, but will with time become the default provider for EJBCA.

The longer answer is that a few years back we decided to develop our own home-grown provider, because we were getting tired of the compatibility issues with the legacy Sun PKCS#11 provider. It's also allowed us to do some neat stuff like support EdDSA and talk to other crypto providers like the cloud HSMs and other things that don't speak strict PKCS#11.

So that said, in relative terms P11NG is still relatively young, and we're as yet not recommending it for general use except for the use cases which we have specifically tested. With time it's going to become the default provider for EJBCA as well, albeit stripped of some functionality for CE. It'll still provide more and better functionality than the Sun provider though.

Cheers,
Mike