lemur icon indicating copy to clipboard operation
lemur copied to clipboard

Published 20 hours ago verified publisher icon Netflix

Can Lemur work with HSMs?

Open antonimmo opened this issue 4 years ago • 2 comments

As I understand, you Lemur doesn't have explicit support for HSMs, as it stores private keys in the postgres db (AFAIK). We would like to use any third-party CA, while offloading some of the computation that servers require for signing certificates, and also keeping these PKs secure.

Is there a recommended way of doing this? For instance, to make it work with AWS CloudHSM.

Thanks.

antonimmo avatar Jul 02 '20 22:07 antonimmo

Up :)

malys avatar Jul 22 '20 12:07 malys

correct, Lemur doesn't offer direct integration with HSM. I think this can be divided into two dimensions:

  • identify a third-party CA software that can be integrated with AWS CloudHSM
  • write a Lemur plugin to use this third-party CA as an issuer

One way to go about this, is to rely on AWS ACM for private CA management, and write a Lemur-plugin that integrates with AWS CA as an issuer. AWS ACM is backed by HSM https://aws.amazon.com/certificate-manager/private-certificate-authority/

One might need to do the calculation with respect to the costs of a CloudHSM cluster vs. AWS ACM for maintaining private CAs.

hosseinsh avatar Aug 04 '20 01:08 hosseinsh