Is your feature request related to a problem? Please describe
No, it is not related to a problem
Describe the solution you'd like
One of the features that Nginx supports is the use of a OpenSSL engine
which enables you to (turtles all-the-way-down) configure the use of a PKCS#11 library.
This may be possible today, but if it is I have not figured it out yet, it would be ideal to put both the ACME account key and the TLS server key on a PKCS#11 implementation such as SoftHSM, TPM2P11, or a HSM product.
Many organizations, including banks and governments, will require that the TLS key is in a hardware device since this is supported when not using njs-acme it would be nice if this capability was preserved.
Describe alternatives you've considered
The only alternative I can think of, unless I am missing this how to do this, is to use a different ACME client.
Is your feature request related to a problem? Please describe
No, it is not related to a problem
Describe the solution you'd like
One of the features that Nginx supports is the use of a OpenSSL engine which enables you to (turtles all-the-way-down) configure the use of a PKCS#11 library.
This may be possible today, but if it is I have not figured it out yet, it would be ideal to put both the ACME account key and the TLS server key on a PKCS#11 implementation such as SoftHSM, TPM2P11, or a HSM product.
Many organizations, including banks and governments, will require that the TLS key is in a hardware device since this is supported when not using
njs-acmeit would be nice if this capability was preserved.Describe alternatives you've considered
The only alternative I can think of, unless I am missing this how to do this, is to use a different ACME client.
Additional context
N/A