EJBCA Signing Behavior: HSM Not Invoked for Every Request

[Manju-212]

I'm using the EJBCA Community Edition and have noticed that the HSM is not invoked for every signing request. However, the signed data is still returned correctly to the client.

Could someone explain what mechanism EJBCA employs in this case? Is it caching key handles, utilizing session-based signing, or applying some other optimization?

Also, is this behavior secure and in line with best practices for cryptographic key usage?

[primetomas]

If it's a signature using the CAs private key, i.e. issuing a certificate or CRL the HSM is most definitely invoked. There is no other way, EJBCA doesn't have any access to the private key and can not make anything without using the HSM.
Either you are seeing it wrong on the HSM, or you are looking it signing requests that return an error, meaning that nothing is signed using the CAs signing key. You can see nice logs from EJBCA, or from your PKCS11 driver if you can make it log PKCS11 calls.