Using HSMs with Distributed Issuer
Distributed Issuer (formerly known as Firefly) integrates with Hardware Security Modules (HSMs) to securely generate, store, and manage cryptographic keys for signing operations. With an HSM, private keys never leave the hardware device, which helps meet requirements like FIPS 140-2 and reduces the risk of key exposure.
Features and benefits
Enhanced Security: Integrating Distributed Issuer with HSMs ensures compliance with security standards such as FIPS 140-2 and Common Criteria. This setup maintains the integrity and confidentiality of your cryptographic operations.
Centralized Key Protection: Using HSMs with Distributed Issuer centralizes the protection of signing keys, ensuring these critical assets are securely stored and managed, thereby reducing the risk of exposure and unauthorized access.
Compliance: Leveraging HSMs with Distributed Issuer helps organizations meet regulatory and compliance requirements for secure key management.
Audience and use cases
PKI Administrators: Individuals responsible for managing cryptographic keys and ensuring the security of signing operations within an organization.
Enterprises: Organizations requiring high assurance for the protection of signing keys, especially in regulated industries like finance and healthcare.
Requirements and compatibility
To integrate HSMs with Distributed Issuer, you will need:
HSM Device: An HSM device with a supported PKCS#11 interface. Currently, we support Luna Network HSM.
Client Software: HSM client software installed on the host or container where Distributed Issuer will be running.
Configuration Access: Ability to configure a config.yaml file for Distributed Issuer and, in Next-Gen Trust Security, subordinate CA provider settings.
