Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

PKCS#11 support for ACME account-key and TLS certificate #45

Open
rmhrisk opened this issue Jan 18, 2024 · 0 comments
Open

PKCS#11 support for ACME account-key and TLS certificate #45

rmhrisk opened this issue Jan 18, 2024 · 0 comments

Comments

@rmhrisk
Copy link

rmhrisk commented Jan 18, 2024

Is your feature request related to a problem? Please describe

No, it is not related to a problem

Describe the solution you'd like

One of the features that Nginx supports is the use of a OpenSSL engine
 which enables you to (turtles all-the-way-down) configure the use of a PKCS#11 library.

This may be possible today, but if it is I have not figured it out yet, it would be ideal to put both the ACME account key and the TLS server key on a PKCS#11 implementation such as SoftHSM, TPM2P11, or a HSM product.

Many organizations, including banks and governments, will require that the TLS key is in a hardware device since this is supported when not using njs-acme it would be nice if this capability was preserved.

Describe alternatives you've considered

The only alternative I can think of, unless I am missing this how to do this, is to use a different ACME client.

Additional context

N/A
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rmhrisk