Features ======== | `PKCS11 (HSM) key storage `_ | `ACME `_ | `CMC `_ | `Automatic OCSP, CRL, and CA Issuers `_ | `Management API `_ Design philosophy ------------------------ * Keys in a PKCS11 device * *All* certificates (and CA's) should have working CRL, OCSP, and CA Issuers fields. * Full ACME support * CMC Support * Elegant and simple fully automatic management API * Handle 10 requests per second. For example receiving an CSR and signing it with the PKCS11 device into a certificate returned to the client. PKCS11 key storage ------------------------ | The PKCS11 CA stores its keys in a `PKCS11 `_ device. Default is to use the free software HSM emulator called SOFTHSM. | Switching to a physical HSM is as simple as changing your PKCS11 library path in the `config file `_. | It is also possible to use a PKCS11 configured yubikey. | The PKCS11 CA uses `python-x509-pkcs11 `_ as its PKCS11 library. | It is written by the same authors as the PKCS11 CA. The library in turn uses `python-pkcs11 `_. ACME ---------------- | PKCS11 CA implements the server side of ACME. .. note:: The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' servers. Allowing the automated deployment of public key infrastructure at very low cost. It was designed by the Internet Security Research Group (ISRG) for their Let's Encrypt service. The protocol, based on passing JSON-formatted messages over HTTPS has been published as an Internet Standard in RFC 8555 by its own chartered IETF working group | Here is the `ACME guide `_ to use the PKCS11 CA with your ACME client. CMC ------------ | PKCS11 CA is capable of responding to CMC requests. | Issue certs from a CMC request which contains a CSR. | Revoke issued certificates contained in a CMC revoke request. .. note:: The Certificate Management over CMS (CMC) is an Internet Standard published by the IETF, defining transport mechanisms for the Cryptographic Message Syntax (CMS). It is defined in RFC 5272, its transport mechanisms in RFC 5273. Similarly to the Certificate Management Protocol (CMP), it can be used for obtaining X.509 digital certificates in a public key infrastructure (PKI). | Here is the `CMC guide `_ to use the PKCS11 CA with your CMC client. Elegant management API ----------------------- | The PKCS11 CA's management API is designed to not be needed in day to day operations. Typically only used in special cases to inspect or edit PKCS11 CA's database. | It is a simple but elegant JWT scheme. .. note:: This is under active development and might be functionally changed in the future. | Here is the `API management guide `_ for the PKCS11 CA.