Use ceremony tool for generating keys and certs; store keys on SoftHSM

Replace openssl certificate / CRL generation with the tool as used by Let's Encrypt, storing the keys on SoftHSMv2, a simulated HSM (Hardware Security Module). Include migration of old setups where key files were also stored on disk.
2026-01-27 10:19:34 +00:00 · 2025-01-31 20:44:48 +01:00
parent 8852d49425
commit 6d72d32398
38 changed files with 2181 additions and 583 deletions
--- a/5
+++ b/5
@@ -21,6 +21,11 @@ docker compose exec bmysql mysqldump boulder_sa_integration >$TMPDIR/boulder_sa_
 cp -p /etc/nginx/ssl/*key* /etc/nginx/ssl/*cert.pem /etc/nginx/ssl/*.csr $TMPDIR/

 cp -rp /opt/labca/data $TMPDIR/
+#cp -p /opt/labca/data/config.json $TMPDIR/
+
+cp -rp /opt/boulder/labca/certs/webpki $TMPDIR/
+
+cp -rp /var/lib/softhsm/tokens $TMPDIR/


 cd /tmp