The current CA certificate management scripts do not take into account the possibility that one or more may be stored inside a PKCS#11 token.
The stop/start tracking needs to include the token when necessary.
The renewal and potentially other scripts need to use this token when addressing certificates. renew_ca_cert for example attempts to fix up the audit certificate trust but has no capacity to pass in a token name.
Chances are, for simplication, usage of a HSM or other PKCS#11 device may need to mandate that certain certificates be contained there. Certainly support for multiple would be problematic.
Authentication to this token will be an additional challenge.
Metadata Update from @rcritten: - Issue tagged with: hsm
Log in to comment on this ticket.