Features

PKCS11 (HSM) key storage
ACME
CMC
Automatic OCSP, CRL, and CA Issuers
Management API

Design philosophy

  • Keys in a PKCS11 device

  • All certificates (and CA’s) should have working CRL, OCSP, and CA Issuers fields.

  • Full ACME support

  • CMC Support

  • Elegant and simple fully automatic management API

  • Handle 10 requests per second. For example receiving an CSR and signing it with the PKCS11 device into a certificate returned to the client.

PKCS11 key storage

The PKCS11 CA stores its keys in a PKCS11 device. Default is to use the free software HSM emulator called SOFTHSM.
Switching to a physical HSM is as simple as changing your PKCS11 library path in the config file.
It is also possible to use a PKCS11 configured yubikey.
The PKCS11 CA uses python-x509-pkcs11 as its PKCS11 library.
It is written by the same authors as the PKCS11 CA. The library in turn uses python-pkcs11.

ACME

PKCS11 CA implements the server side of ACME.

Note

The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users’ servers. Allowing the automated deployment of public key infrastructure at very low cost. It was designed by the Internet Security Research Group (ISRG) for their Let’s Encrypt service. The protocol, based on passing JSON-formatted messages over HTTPS has been published as an Internet Standard in RFC 8555 by its own chartered IETF working group

Here is the ACME guide to use the PKCS11 CA with your ACME client.

CMC

PKCS11 CA is capable of responding to CMC requests.
Issue certs from a CMC request which contains a CSR.
Revoke issued certificates contained in a CMC revoke request.

Note

The Certificate Management over CMS (CMC) is an Internet Standard published by the IETF, defining transport mechanisms for the Cryptographic Message Syntax (CMS). It is defined in RFC 5272, its transport mechanisms in RFC 5273. Similarly to the Certificate Management Protocol (CMP), it can be used for obtaining X.509 digital certificates in a public key infrastructure (PKI).

Here is the CMC guide to use the PKCS11 CA with your CMC client.

Elegant management API

The PKCS11 CA’s management API is designed to not be needed in day to day operations. Typically only used in special cases to inspect or edit PKCS11 CA’s database.
It is a simple but elegant JWT scheme.

Note

This is under active development and might be functionally changed in the future.

Here is the API management guide for the PKCS11 CA.