Skip to content

Extend tedge-p11-server to support creating a Certificate Signing Request #3664

Closed
#3677
Closed
Extend tedge-p11-server to support creating a Certificate Signing Request#3664
#3677
Labels
ideaideas/opportunities/feature requests which need to be further investigated before implementationtheme:hsmHardware Security Module related topics
@reubenmiller

Description

@reubenmiller
reubenmiller
opened on Jun 4, 2025

Is your feature request related to a problem? Please describe.

When thin-edge.io is using a private key stored in a HSM, it uses the tedge-p11-server to interact with the private key to connect to the Cloud.

As a result, it means the tedge cert renew c8y and tedge cert create-csr commands no longer work as the commands expect to have direct access to the private key which does not exist when the tedge-p11-server (PKCS11 interface) is being used.

Today, the only way to support the cert renewal is to use tools such as gnutls-bin certtool to generate the CSR, and then use the tedge cert renew --csr-path <local.csr>.

Describe the solution you'd like

Extend the tedge-p11-server to also support generating a Certificate Signing Request for keys stored in a PKCS11 compatible HSM, and integrate this support in the following commands.

tedge cert create-csr
tedge cert renew c8y

This would eliminate the dependency on additional tooling, and improve the integration (e.g. the tedge commands already know where the tedge-p11-server is, and what key it is using), so reduce chances of misconfiguration.

Describe alternatives you've considered

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    ideaideas/opportunities/feature requests which need to be further investigated before implementationtheme:hsmHardware Security Module related topics

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions