Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS#11 support for ACME account-key and TLS certificate #45

Open
rmhrisk opened this issue Jan 18, 2024 · 0 comments
Open

PKCS#11 support for ACME account-key and TLS certificate #45

rmhrisk opened this issue Jan 18, 2024 · 0 comments

Comments

@rmhrisk
Copy link

rmhrisk commented Jan 18, 2024

Is your feature request related to a problem? Please describe

No, it is not related to a problem

Describe the solution you'd like

One of the features that Nginx supports is the use of a OpenSSL engine
 which enables you to (turtles all-the-way-down) configure the use of a PKCS#11 library.

This may be possible today, but if it is I have not figured it out yet, it would be ideal to put both the ACME account key and the TLS server key on a PKCS#11 implementation such as SoftHSM, TPM2P11, or a HSM product.

Many organizations, including banks and governments, will require that the TLS key is in a hardware device since this is supported when not using njs-acme it would be nice if this capability was preserved.

Describe alternatives you've considered

The only alternative I can think of, unless I am missing this how to do this, is to use a different ACME client.

Additional context

N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rmhrisk