How are CA keys stored in the soft crypto token?

[jfrlb]

Hello,

I've got a question about the protection of the CA keys in a soft crpyto token (i.e. in the database):
how are the keys stored (and protected) in detail?
I don't find the documentation too detailed, so the only thing I found was in cesecore.properties:

# This password is used internally to protect CA keystores in database unless a password has been set manually.
# CA keystores are the CAs private key, where a password can be defined manually instead when creating the Crypto Token,
...
# This value is not very important if you don't use the CMS Service (which most do not), if you define your own
# Crypto Token Authentication Codes, which is recommended.

So if I understand this right, when assigning an activation PIN for the crypto token, this PIN is also used as an encryption password for the key material in the database? What sort of encryption is actually applied?

Thanks
Jan

[primetomas]

A soft crypto token is stored as a PKCS#12 file in the database. That is encryption with either 3DES or AES encryption (not sure which version uses which off hand).
The default password has been removed for future versions actually, you will always be forced to set your own password.