Prerequisites for Integrating Keyless SSL with Securosys HSM

Before starting the process of integrating the Securosys CloudHSM or on-premise Primus HSM with Cloudflare Keyless SSL, please make sure to fulfill all the necessary requirements listed below:

• Existing enterprise user account on Cloudflare with the Keyless SSL paid add-on
• Securosys Hardware Security Module:
  • CloudHSM Partition (HSM as a Service) or
  • Primus HSM, firmware v2.8.21 or newer. Contact sales
• A server to run the Keyless SSL Server and Primus PKCS#11 Provider on.

Get a Securosys HSM

Cloud

Securosys CloudHSM is pre-configured and allows instant HSM operation for Cloudflare Keyless SSL:

• Subscribe online or try for free, or
• Contact Sales

Securosys CloudHSM is a Hardware Security Module (HSM) available as cloud service, without having to worry about time consuming things like evaluation, setup, operation, redundancy, and maintenance of the HSM infrastructure, and is scalable according to your needs. The redundant cluster architecture, providing different redundant regions up to redundant world-wide cluster, fits perfectly in Cloudflare Keyless SSL.

On-premise

Consult Primus HSM PKCS#11 Provider User Guide - Primus HSM Configuration to setup the Primus HSM for PKCS#11 usage.

For further details on on-premise Primus HSM hardware, HA Cluster setup and operation in FIPS or Common Criteria certified modes, refer to the corresponding Primus HSM User Guide (login required).

Configure the PKCS#11 API

Enable the PKCS#11 API on the HSM. Then install and configure the Primus PKCS#11 Provider on your server. For detailed instructions, please see the PKCS#11 Provider documentation.

Install the Keyless SSL Server

Install the Keyless SSL server on the same server.

Then configure how Cloudflare Edge should reach your Keyless SSL Server:

• Via Cloudflare Tunnel, or
• Via Public DNS.

Obtain a TLS Key

You need a private key and a corresponding certificate. This will be used to authenticate the TLS handshakes.

For creating the private key, you can either generate a fresh key pair directly inside the HSM, or import an existing key pair.

This can be done via all APIs that the Primus HSM supports. See the Key Management via PKCS#11 tutorial to learn how to do it with PKCS#11-based tools.

Obtain a TLS Certificate

Obtain a certificate for your key pair. In most cases, this should be from a public CA. The flow of obtaining a certificate depends on the CA.

On the HSM side, you will need to create and sign the Certificate Signing Request (CSR). This can also be done with PKCS#11-based tools, see this tutorial.

Upload the TLS Certificate

Upload the TLS server certificate to Cloudflare. For details, see the Cloudflare documentation.