No edit summary |
No edit summary |
||
Line 6: | Line 6: | ||
= Proposal = | = Proposal = | ||
== How to specify a certificate or private key | == How to specify a certificate or private key stored in a smart card or HSM == | ||
In April 2015, [https://tools.ietf.org/html/rfc7512 RFC7512] defined a 'PKCS#11 URI' as a standard way to identify | In April 2015, [https://tools.ietf.org/html/rfc7512 RFC7512] defined a 'PKCS#11 URI' as a standard way to identify objects stored in smart cards or HSMs. That form should be understood by programs when specified in place of a certificate file. For non-interactive applications which get information on the command line or configuration file, there should not be a separate configuration option to load keys and certificates stored in smart cards, the same option accepting files, should additionally accept PKCS#11 URIs. | ||
== How to specify a specific PKCS#11 module == | == How to specify a specific PKCS#11 provider module for the certificate or key == | ||
Packages which can potentially use PKCS#11 tokens SHOULD automatically use the tokens which are present in the system's p11-kit configuration, rather than needing to have a PKCS#11 provider explicitly specified. See [https://fedoraproject.org/wiki/PackagingDrafts/Pkcs11Support the PKCS#11 packaging page] for more information. | Packages which can potentially use PKCS#11 tokens SHOULD automatically use the tokens which are present in the system's p11-kit configuration, rather than needing to have a PKCS#11 provider explicitly specified. See [https://fedoraproject.org/wiki/PackagingDrafts/Pkcs11Support the PKCS#11 packaging page] for more information. |
Revision as of 12:40, 7 December 2016
For background and motivation please see the current status of PKCS#11 in Fedora.
This guideline updates the previous SSLCertificateHandling.
Proposal
How to specify a certificate or private key stored in a smart card or HSM
In April 2015, RFC7512 defined a 'PKCS#11 URI' as a standard way to identify objects stored in smart cards or HSMs. That form should be understood by programs when specified in place of a certificate file. For non-interactive applications which get information on the command line or configuration file, there should not be a separate configuration option to load keys and certificates stored in smart cards, the same option accepting files, should additionally accept PKCS#11 URIs.
How to specify a specific PKCS#11 provider module for the certificate or key
Packages which can potentially use PKCS#11 tokens SHOULD automatically use the tokens which are present in the system's p11-kit configuration, rather than needing to have a PKCS#11 provider explicitly specified. See the PKCS#11 packaging page for more information.