-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test branch for HSM support #139
base: main
Are you sure you want to change the base?
Conversation
Two very good questions, with two answers:
I'm a bit torn on if I should move key length, EC curve and maybe even password back to the command class. The upside would be a simpler CLI interface. The downside is that you cannot influence the parameters anymore in a custom backend. What if your backend supports a different set of EC curves then cryptography - as seems to be the case here? The "shared" CLI argument would still have to allow all curves (in case you choose the cryptography backend), but of course you could still throw an error in case of an unsupported curve. What do you think?
That's easy to fix! raise |
FTR, this is curently blocked by SUNET/python_x509_pkcs11#24 being merged. |
How to try this branch?
Follow instructions to install the HSM related modules.
ca commands
cd ca
Next create a
local_settings.yaml
file for HSM usage.python manage.py migrate
python manage.py init_ca --path-length=1 --subject-format=rfc4514 Root CN=Root --key_label root_key_hype --hsm_key_type rsa_4096
Open questions
algorithm
is wrong. It should besha256
forRSA20248
andNone
in other cases. How to fix this?