2

Seeking assistance on using PKCS11 with a remote HSM.

I have a small linux host with an HSM card installed. The HSM has libraries and utility scripts provided to interact with it, on that host. These include a pkcs11 utility. What I can’t grasp is how to access this remotely. I get that pkcs11 provides an API. But I don’t get how to use it as part of a bigger PKI infrastructure. If on another linux host I used openssl (or other pki toolkit) to sign a certificate request, I need access to the private key - stored on my host with its HSM. How do I do that?

The openssl command has some component using pkcs11 like “… -engine pkcs11 -keyform engine -keyfile "pkcs11:model=PKCS … serial=xxxxx ;token= xxxxx UserPIN= xxx …” and so on. That is obviously not contacting a network service. So how can a remote HSM that provides a signing key be reached in this case?

Am I getting the sense of this wrong? Does the whole CSR file need to be sent over to the HSM host and submitted to be signed? For example using ssh to that host and passing the CSR to a script there that then runs the pkcs11 library functions to return a cert and then provide it to the ssh based request?

I’m missing some details about how this all works. Assistance appreciated. Thank you.

r.l.
  • 21
  • 2

2 Answers2

2

As you correctly state the PKCS#11 standard defines an API called Cryptoki. OpenSSL allows to use an engine that connects to a DLL/SO implementing this API ("Cryptoki library"). It's the nature of DLL/SO that this needs to be done locally. The Cryptoki library then talks to the "cryptographic token", which is an HSM in your case.

You should, therefore, look at the documentation of the Cryptoki library of your HSM how to specify a remote HSM instead of a local one. This is beyond the standard and vendor specific.

But every vendor provides this functionality. However, it also requires some daemon on the server where the HSM is installed to accept incoming connections from remote libraries. Usually, vendors sell PCI cards that you can use locally and network appliances that you can use remotely.

An option could be PKCS#11 forwarding. You might have a look at https://p11-glue.github.io/p11-glue/p11-kit/manual/remoting.html but I have never use that tool.

dannyM
  • 41
  • 3
  • 1
    Not all vendors supply the ability to *remotely* access the PCIe form factor of their HSMs. In general, if you are buying a PCIe or USB form factor it is because you do *not* want it to be accessible from off the system where it is installed (root CAs are in general *not* remotely accessible, thus "offline root CA". So "every vendor provides this functionality" *must* be viewed through the lens of what is the form factor. An appliance? absolutely. PCIe or USB? probably NOT accessible remotely. – rip... Nov 04 '20 at 06:21
0

I installed and configured the pkcs11 forwarding mechanism cited ion the link in the initial answer. It works as expected. A couple of minor issues with packages and versions that contained the correct libraries, and some learning about the systemd run-user feature were my only obstacles. The ability of ssh to forward unix sockets an impressive feature. When setup I could use a local socket for pkcs11-tool commands to query and sign requests using the HSM stored secrets on a separate host. Thank you for the idea.

r.l.
  • 21
  • 2
  • So is this an answer or is this a thank you comment to dannyM? – schroeder Dec 06 '20 at 08:25
  • I struggled with the category. I decided it was an answer as the suggestion to look at the PKCS11 remote solution came with the caveat that the poster had not used it. So having used it and found that it worked and solved my initial question regarding remote access to a pkcs11 api endpoint, I concluded it answered my question. Though I did also appreciate being alerted to it by dannyM. – r.l. Dec 06 '20 at 10:09