Go PKCS#11 helper module for certificate signing using HSMs.
The Setup instructions help get an HSM up and running with a usable signed Intermediate CA.
SoftHSM2, Thales SafeNet DPoD and Entrust nShield HSMs are currently documented, though any PKCS#11 compliant HSM should work.
The casigner11 command line client is work in progress, as is this documentation.
Once the signed Intermediate issuing CA cert has been produced, use TestCASigner to try out the HSM signer.
Check TESTING for more instructions.
A Vault plugin is also available which uses this pkcs11helper module to add support for HSM backed PKI.
HSM PKI for Vault was sponsored by BT UK and developed by mode51 Software under the Mozilla Public License v2.
By Chris Newman