malys
commented
4 years ago Up :)
Open antonimmo opened 4 years ago
malys
commented
4 years ago Up :)
hosseinsh
commented
4 years ago correct, Lemur doesn't offer direct integration with HSM. I think this can be divided into two dimensions:
One way to go about this, is to rely on AWS ACM for private CA management, and write a Lemur-plugin that integrates with AWS CA as an issuer. AWS ACM is backed by HSM https://aws.amazon.com/certificate-manager/private-certificate-authority/
One might need to do the calculation with respect to the costs of a CloudHSM cluster vs. AWS ACM for maintaining private CAs.
As I understand, you Lemur doesn't have explicit support for HSMs, as it stores private keys in the postgres db (AFAIK). We would like to use any third-party CA, while offloading some of the computation that servers require for signing certificates, and also keeping these PKs secure.
Is there a recommended way of doing this? For instance, to make it work with AWS CloudHSM.
Thanks.