[Feat]: HSM pkcs#11 #514
Comments
|
We support pkcs#11 in the enterprise version of Witness, but it requires CGO. We would support it in the open source if the contribution was pure go. |
|
Are there prices for the enterprise version? I was not able to find anything for that. |
|
@axi92 send me an email [email protected] and I can get you that info. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the solution you'd like:
We are switching to a YubiHSM 2 so we don't use files for certs or keys anymore.
The access to the HSM is made through a connector listening over the network.
User value:
Code signing possible from HSM.
Expected behavior:
Use pkcs#11 to connect to the HSM.
Proposed solution:
I only know it from osslsigncode. We use it to connect to the pkcs#11 interface from the YubiHSM 2 and sign software with our code signing cert stored on the HSM.
Maybe it is possible to go a similar way?
Anything else you would like to add:
In this docs there is a lot of help that might be helpful. https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/index.html
There is an image with the connection stack explained https://support.yubico.com/hc/en-us/articles/360017607439-Top-practical-considerations-when-implementing-the-YubiHSM-2
Testing changes required:
I don't know how to test this, maybe a softhsm can be used?
Documentation changes required:
For sure, I am glad to help on docs since I am not able to help on the coding with go.
The text was updated successfully, but these errors were encountered: