Skip to content

p11-kit

p11-kit is a proxy PKCS#11 module. This p11-kit proxy module acts like a normal PKCS#11 module, but internally loads a preconfigured set of PKCS#11 modules and manages their features as described earlier Each slot in the configured modules is exposed as a slot of the p11-kit proxy module.

It basically allow to combine multiple PKCS#11 modules (i.e. HSMs) to be used at once.

TeskaLabs SeaCat PKI supports p11-kit.

More at: p11-glue.github.io (Manual), specifically "Proxy Module".

p11-kit configuration

Each module is configured by a dedicated configration file in the pkcs11/modules/ directory.

Simple example:

/opt/local/etc/pkcs11/modules/softhsm2:

module: /opt/local/lib/softhsm/libsofthsm2.so

The configuration simply contains a path of the underlaying PKCS#11 module, in this case it is SoftHSM2.