Physical HSM Support

enemystand · March 15, 2018, 8:25am

Hello! I was hoping you could answer something I haven’t been able to place.

I have been going through the documentation of Boulder and there’s something I’m missing. I’m trying to understand how do you guys supports physical HSMs. From what I gather, you guys are using Gemalto HSMs in your installation, but can a Boulder CA interface with Safenet products (Most prominently Luna) easily? What is missing?

I didn’t know how to tag this correctly, as I was unsure if the feature exists or not.

Thanks in advance …

_az · March 15, 2018, 9:03am

I believe boulder-ca uses PKCS#11 to interface with HSMs, which appears to be supported by Safenet Luna.

Perhaps see also https://github.com/letsencrypt/pkcs11key / https://godoc.org/github.com/letsencrypt/pkcs11key#Config which is used by boulder-ca.

The HSM vendor should provide a module that you can plug directly into pkcs11key.

enemystand · March 15, 2018, 10:03am

Thanks, I’ll check it out when I try to use it. I will create a separate issue should I run into implementation problems.

system · April 14, 2018, 10:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CA software and HSM's used Issuance Tech	4	5019	May 20, 2016
Boulder - Third-Party CA Certs (PKCS#11 or otherwise) Feature Requests	1	919	April 19, 2018
How to connect to AWS CloudHSM successfully? (failing at "login" step) Help	6	3687	January 15, 2019
Run Boulder in cooperation with a customer PKI? Issuance Tech	5	1803	May 7, 2018
Boulder deployment help Help	8	815	October 24, 2018

Physical HSM Support

Related topics