Load client certificate from hardware security device with Pkcs11 protocol

[martinscheffler]

Component(s)

No response

Is your feature request related to a problem? Please describe.

We want to run an otel collector on an edge device. It should collect telemetry from applications running on that edge device, and forward them to another otel collector on a central server. The applications on the edge device keep client certificates for mtls in a TPM chip. We would like to also use the TPM to secure the connection from the local collector to the central collector. Is that possible as is? Or would it be possible to develop an extension that uses Pkcs11 to use a certificate in the TPM? Thank you!

Describe the solution you'd like

An extension for using Pkcs11 to establish mtls connection for otlp exporter

Describe alternatives you've considered

Establish a tls tunnel with the Pkcs11 certificates

Additional context

No response

[martinscheffler]

After digging into the otel code, I now think an extension is not the right path - that is more for modifying telemetry streams I guess. The only way to do this cleanly is probably to modify the code in configtls.go. I could try to tackle this, but only if other parties are interested in TPM authentication. In the meantime, I will try to add code to our otel connector that creates a TLS tunnel with the certificate in my TPM, then set up the grpc exporter to connect to that tunnel on localhost.

[github-actions[bot]]

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.