-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document generating X.509 certs signed by HSM-maintained keys #12108
Comments
We don't currently have native support for HSMs or any other non-in-memory private keys. However, if you have some Python API to your HSM, it's possible to hook it up to x509! It's unfortunately not well documented, but https://github.com/reaperhulk/vault-signing lays out the basic pattern and shows how to implement it by example. |
Interesting! So you're using One follow-up question; I notice that the repo you linked uses the |
I don't know why it uses those private ones, this should be able to be implemented entirely in terms of our public API:
Are all available. @reaperhulk clean up your code plz :D |
I wrote it years ago as a PoC! we should really officially document this. |
I agree with that too :-) We've been using it as an example to point people
to, so it'd be nice to clean up those unnescseasry _ imports. (Also it was
only 2 years ago! Technically years plural, but not like, forever!)
…On Fri, Dec 6, 2024 at 7:24 PM Paul Kehrer ***@***.***> wrote:
I wrote it years ago as a PoC!
we should really officially document this.
—
Reply to this email directly, view it on GitHub
<#12108 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBBICOHGC3IOQ7C625T2EI54NAVCNFSM6AAAAABTDVCVZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRUGY4TIOJRG4>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
I tested it using the public API as recommended and everything works fine. Thanks @alex and @reaperhulk for all the help! Will leave this issue open in case you want to use it to track a documentation update, otherwise feel free to close it. |
Yes, let's keep this open as a documentation task. Thanks much! |
I'm using cryptography to generate X.509 certificates, which works wonderfully when my code can access the private key of the issuing certificate. However, in my environment our private keys are stored on Hardware Security Modules (HSMs), and it does not appear that cryptography supports creating certificates (or at least the to-be-signed portions of certificates) and signing certificates as two separate steps. My current flow looks something like this:
This process works, but feels very "hacky". Is there a recommended process to use an HSM to sign X.509 certificates (or CRLs, etc)? After searching through the documentation I see references to "opaque keys" and removed support for different backends, but nothing that specifically walks through how to use cryptography to integrate with an "offline" signing system, whether using a custom
sign
function as an input to the certificate builder, or a multi-step "generate partial certificate, then finish generating with a user-provided signature".The text was updated successfully, but these errors were encountered: