A hardware security module (HSM) is a physical device that provides physical protection for generating and storing keys, encryption and decryption, etc. The private keys generated on the device cannot be retrieved, providing strong protection.
PKCS#11 libraries are used to communicate with them: signing operations, generate a key, install a certificate, etc.
The request is to provide general support for using an HSM device to store the CA and KRA private keys and certificates.
dogtag, the CA that IPA uses, supports using an HSM for storing keys.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1405935
master:
ipa-4-10:
Metadata Update from @abbra: - Custom field changelog adjusted to FreeIPA CA can now be deployed with a hardware security module as a CA storage device. Supported use case details can be found in HSM design document: https://freeipa.readthedocs.io/en/ipa-4-10/designs/hsm.html
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1405935, https://issues.redhat.com/browse/RHEL-4807 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1405935)
Log in to comment on this ticket.