Cloudflare Keyless SSL with Securosys Primus HSM
Cloudflare Keyless SSL, when integrated with a Securosys Hardware Security Module (HSM), allows organizations to leverage Cloudflare’s performance and security features without ever exposing their private SSL keys. In this integration, the private keys are stored securely within the Securosys HSM, which performs cryptographic operations required during the TLS handshake. The integration ensures that the private keys remain protected within a tamper-resistant environment while still enabling Cloudflare to terminate SSL/TLS connections at its edge.
Securosys Hardware Security Modules (HSMs) are available as:
- on-premise solutions (Primus HSM) or
- cloud service (CloudHSM). CloudHSM minimizes customers’ time for evaluation, setup, operation, redundancy, and maintenance of the HSM infrastructure. Moreover, it is scalable according to customer needs.
Architecture
Cloudflare Keyless SSL Securosys Primus HSM integration via PKCS#11 Provider
The process begins when a client initiates a secure connection by sending a TLS handshake request to a website protected by Cloudflare. This request is intercepted at one of Cloudflare's edge servers, which forwards the necessary cryptographic data, such as the ClientHello message and signature requests, to the customer-managed key server instead of completing the handshake locally. The key server, typically deployed on-premise or in a secure cloud environment, acts as an intermediary between Cloudflare’s edge network and the HSM.
To establish a secure connection with the Securosys HSM, the key server uses the Primus PKCS#11 API Provider. When the key server receives a signature request from Cloudflare’s edge server, it forwards the request to the HSM over this secure, authenticated channel. The HSM performs the required cryptographic computations internally, such as generating a digital signature, without ever exposing the private key. Only the computed signature is returned to the key server, which then relays it back to the Cloudflare edge server.
With the signed data, the Cloudflare edge server completes the TLS handshake with the client, establishing a secure session without the private key ever leaving the organization’s controlled environment. This process occurs with minimal latency, preserving the performance benefits of Cloudflare’s edge network.
The integration ensures that private keys remain protected within a physically secure, tamper-resistant HSM, meeting compliance requirements and minimizing the risk of key compromise.
Target Audience
This document is intended for Securosys Primus HSM or CloudHSM users and administrators and IT professionals in charge of Cloudflare administration.
For on-premise HSM deployed operation administrative skills are required for Securosys Primus HSMs.
Support Contact
If you encounter a problem while installing/configuring the PKCS#11 provider or integrating the HSM with Cloudflare Keyless SSL, make sure that you have read the referenced documentation. If you cannot resolve the issue, please contact Securosys Customer Support. For specific requests regarding Securosys integration with Cloudflare Keyless SSL, the Securosys Support Portal is reachable under https://support.securosys.com.
Getting Started with Cloudflare & Securosys HSMs
For a smooth start integrating your Primus HSM with Cloudflare Keyless SSL:
- Consult the Quickstart section for an overview.
- For detailed installation and configuration instructions, follow the installation guide.
- Try Securosys CloudHSM for free.