Does anyone know how this can be achieved since the private key never leaves the KMS HSM?
2 Likes
It looks like it's possible. It also looks like you could use it directly with an acme client, if you can change its openssl invocations.
This should be software to link the openssl cli and your hsm. GitHub - nakedible/openssl-engine-kms: AWS KMS powered engine for OpenSSL
3 Likes
Thanks very much for your reply.
Blockquote It also looks like you could use it directly with an acme client, if you can change its openssl invocations.
Could you elaborate a bit on this?
Blockquote This should be software to link the openssl cli and your hsm. GitHub - nakedible/openssl-engine-kms: AWS KMS powered engine for OpenSSL
Yes we are considering using this but have some concerns that it hasn't been updated in two years therefore isn't actively maintained.
3 Likes
I never heard of the AWS HSM before yesterday, but I know several acme clients make direct openssl calls, and you could use that software (which I never used) to make openssl use the HSM for its calculations, putting it all together.
I agree. It's probably because you can use AWS own certificate authority and remove all that headache while still getting the HSM security.
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.