Hi Steve, Am 11.10.20 um 15:26 schrieb Steve Downey via OpenXPKI-users: > Hi there > > Martin, thanks, this helps a lot. > >>> If you have a security sensitive environment you should consider using a >>> HSM and not waste your time with software keys and esoteric reasoning about >>> cleartext passphrases > This is in my project, "PKI++". for both Microsoft and OpenSSL based PKI > solutions, I had intended to back the key storage provider with an HSM of > sorts. I'm just not there yet in my project for either HSM backed solution to > be implemented, also missing an HSM to store the keys. For ADCS, I've already > looked into and understand implementing the CSP backed by an HSM's so I > understand the principal. With OpenXPKI and what I've come to understand > about it, the same is possible with KeyNanny as the "bridge" between the > Application and the keys. > > that being said, there can someone suggest a general HSM that has the > connectors / providers required to be used by both OpenXPKI and ADCS, can > allow for multiple partitions/master keys, that is network connected? I have > limited HSM experience, limited to HSMs of Thales and Gemalto payment HSMs. > I need one that follows the same standards as Thales, but isn't Thales > expensive. I'd like to keep both on one HSM in different partitions. My HSM > use cases already call for 3 separate partitions.
Well, define expensive and define your requirements - the HSM adds extra costs but measured at the TCO of a PKI solution running in an enterprise environment this will not be the biggest part. By accident, we are sales partner for nCipher and we also have good contacts to other vendors with attractive pricing models - we recently got hands on the products of a small company based in Switzerland with very interesting products and pricing which perfectly worked with OpenXPKI and we also have done a PoC using the YubiHSM. Bottom line - you can get a single HSM for less than 1000 Euros which will be sufficient to be used as DataVault protection device while holding the Issuing CA keys in software. For "issuing keys on HSM" you should plan with at least 1000 Euros per node per year to get a supported and maintained solution. Oliver -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
