Access EJBCA using USB Tokens and Smart Cards

The recommended way of authenticating with EJBCA in a high security environment is by using a hard token. This means you use a hardware token instead of storing the private key directly in the browser. You can log in to EJBCA using most USB tokens and smart cards supporting PKCS11.

This is more secure than using a P12-file (soft token) installed in your browser, because:

  • The token cannot be easily copied.

  • The private key is never exposed outside the token (the key is generated on the token and signature operations are performed by the token).

  • The token can lock itself if someone tries to guess the PIN.

The following is a small selection of tokens that have recently been tested for direct simple usage. Note that other tokens and other Card/Token Management Systems (CMS) are also working well and in production all around the world. If you are planning a commercial project, contact PrimeKey for the latest list of supported integrations with tokens and token management systems. For hardware or driver support on specific tokens, contact the token vendor. New tokens are continuously appearing on the market, and this documentation is not updated to reflect this, but should be treated as examples.


Tested on

Enrollment method

Year tested/documented

SecureMetric ST3

Linux and Windows

Legacy browser-enrollment (or SecureTMS)


SecureMetric ST3 Ace

Linux and Windows

Legacy browser-enrollment (or SecureTMS)


Yubico YubiKey 5 (NFC)


YubiKey PIV Manager or PIV Tools


Yubico YubiKey C FIPS


YubiKey PIV Manager


Feitian ePass2003


Legacy browser-enrollment


Aventra MyEID

Linux and Windows

OpenSC/OpenSSL (or ActiveCMS)


The following browsers have known working smart card integration:

  • Firefox

  • Chromium

  • Internet Explorer

Smart Card Integration with Firefox

Support for smart cards is built into Firefox and is accessed as follows:

  1. Type about:preferences#privacy in the address bar and press Enter.

  2. Scroll down to the bottom of the page and click Security Devices.

  3. Add a new PKCS11 module by clicking Load.

  4. Specify the name of the module, click Browse, and then point to the PKCS11 module you want to use. This is typically a dynamic-link library (.dll) file on Windows, or an shared object (.so) file on Linux.

    If you are using a 64-bit version of Firefox, make sure you are loading the 64-bit version of the PKCS11 library.

  5. Click OK to add the module.

Smart Card Integration in Chromium

Chromium does not have a graphical user interface but does have PKCS11 support. For more information, refer to the ubuntu documentation on Google Chrome/Chromium Setup.

This procedure has been tested on a 64-bit Ubuntu 16.04 with Chromium 70.

  1. Install NSS tools.

    sudo apt-get install libnss3-tools

  2. Close Chromium if it is running.

  3. Add a new PKCS11 module.

    modutil -dbdir sql:.pki/nssdb/ -add "Module Name" -libfile /path/to/


The OpenSC project contains a generic PKCS11 module with support for many different USB tokens and smart cards.

To install directly from the repository in Ubuntu, run:

sudo apt-get install opensc

There is also a Windows installer available.

Related Content