SoftHSMv2
1. Install and configure SoftHSMv2
First, we install SoftHSMv2 and configure it to store tokens in the default location /var/lib/softhsm/tokens. We also need to give the softhsm group permission to this directory as this is how the keyless user will access this directory.
2. Create a token and private keys, and generate CSRs
Next, we create a token in slot 0 called test-token and secure it with a PIN of 1234. In this slot we’ll store the RSA keys for our SSL certificates for keyless-softhsm.example.com.
Using cfssl, we generate the private keys and Certificate Signing Requests (CSRs), the latter of which will be sent to a Certificate Authority (CA) for signing.
3. Convert and import the key
Now that the key has been generated, it’s time to load it into the slot we created. Before doing so, we need to convert from PKCS#1 to PKCS#8 format. During import, we specify the token and PIN from token initialization and provide a unique hexadecimal ID and label to the key.
After importing we ask pkcs11-tool to confirm the objects have been successfully stored in the token.
4. Modify your gokeyless config file and restart the service
With the keys in place, it’s time to build the configuration file that the key server will read on startup. The id refers to the hexadecimal ID you provided to the softhsm2-util import statement; we used a000 so it is encoded as %a0%00. The module-path will vary slightly based on the Linux distribution you are using. On Debian it should be /usr/lib/softhsm/libsofthsm2.so.
Open up /etc/keyless/gokeyless.yaml and immediately after
add
Save the config file, restart gokeyless, and verify it started successfully.