Background
I've been playing around with the idea of using an protected private key wrapped by an API, like Azure KeyVault or Amazon KMS keys to sign certificates for internal Private Key Infrastructure.
Conceptually, this is similar to using the OpenSSH Agent to sign connection requests for SSH. The key is never exposed to the application that prepared the request.
My interest is primarily academic. I handle RSA keys frequently for work, and just love peeking under the covers at how it all works. But if I can find something that is actually production-ready, I might use it for my day-to-day work with web deployments.
Options I've Explored
Azure KeyVault provides an interface for creating self-signed certificates, but if I want to use the certificates as client certificates with MongoDB (for example), then it would be helpful to have a certificate to use as the root.
I've looked at a number of options to achieve this goal. The one that seemed most promising is to write a custom PKCS11 provider to act as an intermediary to the API-wrapped key. Maybe using libcurl or something like that to make the API call. I'm not that competent a C/C++ programmer, so this wouldn't be a very practical solution for me... though I may be interested in pursuing it for the learning experience.
I could use a third-party solution like Hashicorp Vault PKI or CredHub Certificates. Hashicorp Vault has a storage provider to keep the resulting key in Azure KeyVault. But from the documentation, it appears both these services still leave the Private Key exposed to themselves.
I looked at pyOpenSSL as a higher-level abstraction to sign a CSR, but the API takes a private key as a parameter.
Benefits of Solution
To me, the perceived benefits of using such a solution are that the Private Key is never accessible (even to me). So an exposure of access to the Root CA key is limited to whatever certificates an attacker manages to issue while they have access.
Since access to the Key has an audit log, it would simplify tracking of it's use, and identifying unauthorized access.
The Actual Question
I'm trying to find or develop a solution where the digital signature is processed by a third party, but the logic of constructing the content to sign is handled locally, preferably by known standard solutions like OpenSSL (as library or CLI).
Does a solution exist for processing an x509 CSR into an x509 Certificate where the Private Key and signing algorithms are wrapped in a Web API?
Failing that, is there any good documentation somewhere to use existing libraries to convert a CSR into a Certificate on a low level? Blog posts welcome.