njs-acme icon indicating copy to clipboard operation
njs-acme copied to clipboard

Published 20 hours ago verified publisher icon nginx

PKCS#11 support for ACME account-key and TLS certificate

Open rmhrisk opened this issue 1 year ago • 0 comments

Is your feature request related to a problem? Please describe

No, it is not related to a problem

Describe the solution you'd like

One of the features that Nginx supports is the use of a OpenSSL engine which enables you to (turtles all-the-way-down) configure the use of a PKCS#11 library.

This may be possible today, but if it is I have not figured it out yet, it would be ideal to put both the ACME account key and the TLS server key on a PKCS#11 implementation such as SoftHSM, TPM2P11, or a HSM product.

Many organizations, including banks and governments, will require that the TLS key is in a hardware device since this is supported when not using njs-acme it would be nice if this capability was preserved.

Describe alternatives you've considered

The only alternative I can think of, unless I am missing this how to do this, is to use a different ACME client.

Additional context

N/A

rmhrisk avatar Jan 18 '24 01:01 rmhrisk