Skip to content

ceremony: accept path to pkcs11 creds file #8377

New issue
New issue
Open
Open
ceremony: accept path to pkcs11 creds file#8377
Labels
starterIdeal issues for folks getting familiar with Boulder
@aarongable

Description

@aarongable
aarongable
opened on Sep 3, 2025

An intermediate ceremony config file currently starts like:

ceremony-type: intermediate
pkcs11:
  module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
  pin: 1234
  signing-key-slot: 1307844626
  signing-key-label: Root YE

However, that module path differs on dev machines and ceremony machines, the pin is obviously fake, and the signing key slot is hsm-client dependent. So all of those values have to be rewritten for the actual ceremony, which removes much of the value of preparing and reviewing ceremony inputs ahead of time.

Instead, it would be nice if it could look more like how the CA connects to the online HSM:

ceremony-type: intermediate
pkcs11:
  file: path/to/int.pkcs11.json

This would make it much easier for the pre-prepared configs to exactly match the final configs, and for those configs to never contain actual credentials.

Metadata

Metadata

Assignees

No one assigned

    Labels

    starterIdeal issues for folks getting familiar with Boulder

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions