Configure the Cloudflare Keyless SSL Key Server for Securosys HSM

After successfully installing the Cloudflare Keyless SSL server, make sure that the keyless user - created during the installation of Cloudflare Keyless SSL server - has the necessary permissions to access the Primus PKCS#11 provider files. See Primus PKCS#11 Provider Installation for more information about the user and user group permissions when installing the PKCS#11 provider.

Ensure that the keyless user is a member of the primus user group. To add the keyless user to the primus user group execute the following command:

sudo usermod -a -G primus keyless

note

Adding a user to a new group may require logout/login or reboot to update permissions.

Configure the Keyless SSL key server to change the location of the private key store to point to the Securosys HSM. The key server will read the configuration file on startup.

Open /etc/keyless/gokeyless.yaml and change the location of the private key store:
```
private_key_stores:
  - dir: /etc/keyless/keys
```
Directly after the previous line add:
```
- uri: pkcs11:token=<KeylessSSL>;object=<myrsakey>?module-path=/usr/local/primus/lib/libprimusP11.so&pin-value=<password>&max-sessions=1
```
- Replace the token <KeylessSSL> parameter with the Partition name on which you stored the certificate private key.
- Replace the object <myrsakey> parameter with your private RSA key.
- Only replace the module-path if the libprimusP11.so is saved in a different location.
- Replace the pin-value <password> parameter with your PKCS#11 PIN, see Prerequisites.
Save the configuration file and restart gokeyless service and verify it started successfully.
```
sudo systemctl restart gokeyless.service
```
```
sudo systemctl status gokeyless.service -l
```

Get started withCloudHSM for free.

Need help?Contact Support.

Other questions?Ask Sales.