Skip to content

tedge cert create should support creating a key via the tedge-p11-server #3665

New issue
New issue
Open
#3709
Open
tedge cert create should support creating a key via the tedge-p11-server#3665
#3709
Assignees
Bravo555
Labels
ideaideas/opportunities/feature requests which need to be further investigated before implementationtheme:hsmHardware Security Module related topics
@reubenmiller

Description

@reubenmiller
reubenmiller
opened on Jun 4, 2025

Is your feature request related to a problem? Please describe.

Currently the tedge cert create cannot be used if the key should be stored in a PKCS11 compatible HSM. This makes it more difficult for users to get started when using a PKCS11 compliant HSM.

Describe the solution you'd like

The following should be supported

  • Add a new command to tedge cert create-key should support creating a private key (which is not exportable). The command should do this by using sending a command to the tedge-p11-server via the configured socket. Ideally the algorithm should also be configurable, though the we could make the algorithm configurable at a later point in time. Invoking the command should also initialize the HSM slot if necessary (though this have some limitations, e.g. I believe the softhsm2 must be initialised using its own tooling)
  • Integrate the key and CSR generation into the tedge cert download c8y command (used to register devices via the Cumulocity Certificate Authority Feature)

Describe alternatives you've considered

Additional context

Metadata

Metadata

Assignees

Labels

ideaideas/opportunities/feature requests which need to be further investigated before implementationtheme:hsmHardware Security Module related topics

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions