PKCS#11 HSM

Stream supports key management through PKCS#11 HSMs.

Stream has been qualified to work with the following HSMs but should be working with any PKCS#11 HSM:

  • Entrust nShield Solo, Entrust nShield Connect, Entrust nShield as a Service

  • Atos Proteccio

  • Thales Luna (including DPoD), Thales Protect Server

  • Utimaco CryptoServer

To set up a PKCS#11 keystore:

1. Log in to the Stream Administration Interface.

2. Go to Keystores and keys and click add_external_ca.

3. In Type, select PKCS#11. In Name, set the name you want to give to your keystore. Optionally, you can add a description to your keystore.

4. Input the full path of the PKCS#11 library (ending in .so) of your HSM, then click the parse add_existing_managed_ca button. If your HSM’s library was succesfully loaded into Stream, you should be seeing your HSM’s information. If you get an HSM error, please check the configuration of your HSM. Click "Next".

5. Select the HSM slot that you will be using on your HSM for this keystore and input its PIN code;

6. Optionally, you can set a Pool Size to your PKCS#11 interface. If disabled, Stream will open a PKCS#11 session every time it needs to sign a certificate, then close it afterwards. If enabled, Stream will open the number of connections specified in the pool size value and maintain them open as long as Stream is running, to be able to directly sign certificates without having to open a PKCS#11 session. This feature comes particularly handy whenever working with a slow HSM, where opening a session is a pretty long operation that can completely ruin performance.

Once you are done, click "Save". Your keystore should appear in your keystores list with a green circle next to its name.