Physical HSM Support


#1

Hello! I was hoping you could answer something I haven’t been able to place.

I have been going through the documentation of Boulder and there’s something I’m missing. I’m trying to understand how do you guys supports physical HSMs. From what I gather, you guys are using Gemalto HSMs in your installation, but can a Boulder CA interface with Safenet products (Most prominently Luna) easily? What is missing?

I didn’t know how to tag this correctly, as I was unsure if the feature exists or not.

Thanks in advance …


#2

I believe boulder-ca uses PKCS#11 to interface with HSMs, which appears to be supported by Safenet Luna.

Perhaps see also https://github.com/letsencrypt/pkcs11key / https://godoc.org/github.com/letsencrypt/pkcs11key#Config which is used by boulder-ca.

The HSM vendor should provide a module that you can plug directly into pkcs11key.


#3

Thanks, I’ll check it out when I try to use it. I will create a separate issue should I run into implementation problems.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.