Description
Would you consider adding PKCS #11 support to acmetool? Though it would be possible to import the generated keys afterwards, it beats the purpose of using this private-key-protective API.
Apache supports use of PKCS #11 private keys and even certificates via PKCS #11, which generally is helpful to avoid that private keys are ever revealed. It remains an operational choice what implementation of the PKCS #11 API to use; it could be a software implementation, a simple USB token or a more advanced rack-mounted redundant key management solution for tens of thousands of dollars. With PKCS #11, key management quality is a choice.
This range of operational choices is why we use it in our TLS Pool project, which additionally separates TLS handling from the application process via file descriptor passing and reduces TLS implementation to one API call, fd = starttls_client (fd, ...). We intend to use that in security/privacy projects like Keyful Identity Protocol and Realm Crossover for Kerberos.
Just ask if you want to learn more about PKCS #11. These are a few speciication links that you might find interesting:
- PKCS #11 Base standard -- there are extensions such as for the set of security mechanisms.
- p11 URI standard and a commonly used implementation
Activity