Giters

certbot / certbot

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

OpenSSL Engine / PKCS11 support

lukeschlather opened this issue · comments

commented

I'd like to be able to generate certificates where the private keys are stored in a hardware security module. (My specific use case is using Google Cloud HSM / libpkcs11.

It looks like this is presently possible to do with some monkey-patching in PyOpenSSL but there seems to be 3 separate problems to do it properly with also potentially needing to do something to https://github.com/pyca/cryptography .

Would you accept a solution that provided a way to do it as in [https://github.com/pyca/pyopenssl/issues/203#issuecomment-579974547] or would it need to be done properly with relevant engine interfaces exposed from PyOpenSSL? For me this is frustrating since it's potentially still some-assembly-required as I would need to make sure that the PyOpenSSL wheel is built with the right version of openssl and that it is configured to use the libpkcs11.so with the correct configuration which is very arcane.

commented

There are some conflicts between having PKCS#11 support and how Certbot works.

The regular way Certbot works, expects to have the private key on disk. Changing this assumption would be a lot to do.

Certbot also has a --csr mode which can operate with an CSR that is created via OpenSSL+PKCS#11, but it does not support the full range of operations that define Certbot (automatic renewal and installation).

Putting the complexities with OpenSSL and pyca/cryptography aside, I think that it is pretty unlikely that the project will be able to address this use case.

Sorry!

commented

What I have been envisioning is that I can have a cron that loads the existing certs from cloud storage, runs certbot to issue a DNS challenge, and then copies the certs to cloud storage. That sounds like it is consistent with running in --csr mode. It sounds like you're saying if I simply create the CSR directly with openssl this is already supported, which sounds great.

commented

Hi,

Using software based cryptography means that the private key (which should be absolutely private) may be duplicated without one knowing, authentication on-behalf.

The basic concept of private keys is that they may reside on hardware which protects them.

Applications, especially these that are popular and are in the security domain, should take that into consideration in their design.

There are solutions that we have implemented in similar projects such as openvpn, openssh, gnupg, apache and others, which enables the use of PKCS#11 based keys and certificates within popular applications.

For example, see apache documentation and seek for pkcs11 for example of how apache is leveraging the pkcs11 engine.

Automating the process can be done quite easily:

  1. Export the ability to manage keystore into a plugin
    1. Generate a key pair
    2. Create a CSR
    3. Import a certificate
  2. Implement a plugin for file based keys (current behavior)
  3. Implement a new plugin for PKCS#11
    1. The file name will be PKCS#11 URL
    2. Generate a key pair using on opensc pkcs11-tool
    3. Create a CSR using engine_pkcs11
    4. Import a certificate using opensc-pkcs11

This feature request may be renamed to a request to decouple the ACME logic and the keystore management, so that the keystore management may be implemented as plugin as well under the design constraint that it may be hardware token.

Regards,