p11-kit¶
p11-kit is a proxy PKCS#11 module. This p11-kit proxy module acts like a normal PKCS#11 module, but internally loads a preconfigured set of PKCS#11 modules and manages their features as described earlier Each slot in the configured modules is exposed as a slot of the p11-kit proxy module.
It basically allow to combine multiple PKCS#11 modules (i.e. HSMs) to be used at once.
TeskaLabs SeaCat PKI supports p11-kit.
More at: p11-glue.github.io (Manual), specifically "Proxy Module".
p11-kit configuration¶
Each module is configured by a dedicated configration file in the pkcs11/modules/
directory.
Simple example:
/opt/local/etc/pkcs11/modules/softhsm2
:
module: /opt/local/lib/softhsm/libsofthsm2.so
The configuration simply contains a path of the underlaying PKCS#11 module, in this case it is SoftHSM2.