boulder icon indicating copy to clipboard operation
boulder copied to clipboard
verified publisher icon letsencrypt

ceremony: accept path to pkcs11 creds file

Open aarongable opened this issue 7 months ago • 0 comments

An intermediate ceremony config file currently starts like:

ceremony-type: intermediate
pkcs11:
  module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
  pin: 1234
  signing-key-slot: 1307844626
  signing-key-label: Root YE

However, that module path differs on dev machines and ceremony machines, the pin is obviously fake, and the signing key slot is hsm-client dependent. So all of those values have to be rewritten for the actual ceremony, which removes much of the value of preparing and reviewing ceremony inputs ahead of time.

Instead, it would be nice if it could look more like how the CA connects to the online HSM:

ceremony-type: intermediate
pkcs11:
  file: path/to/int.pkcs11.json

This would make it much easier for the pre-prepared configs to exactly match the final configs, and for those configs to never contain actual credentials.

aarongable avatar Sep 03 '25 15:09 aarongable