ceremony: accept path to pkcs11 creds file#8626
Open
maen-bn wants to merge 2 commits intoletsencrypt:mainfrom
Open
ceremony: accept path to pkcs11 creds file#8626maen-bn wants to merge 2 commits intoletsencrypt:mainfrom
maen-bn wants to merge 2 commits intoletsencrypt:mainfrom
Conversation
only supported with the intermediate config and will overwrite any of the pkcs11 signing config values in the yaml file if the creds file path is provided and successfully loaded and parsed
maen-bn
force-pushed
the
ceremony-accept-path-to-pkcs11-cred-file
branch
from
850f0a9 to
faec37b
Compare
maen-bn
force-pushed
the
ceremony-accept-path-to-pkcs11-cred-file
branch
from
faec37b to
2ec6c76
Compare
aarongable
reviewed
Feb 12, 2026
Contributor
aarongable
left a comment
aarongable
left a comment
There was a problem hiding this comment.
Three high-level thoughts:
- This also needs to work uniformly across all other applicable ceremony types, like generating CRLs and cross-certs.
- Instead of having the CredentialsPath override the Module/PIN/etc, the .validate() method should return an error if both are supplied.
- We need to think critically about how this interacts with the root ceremony and intermediate keygen ceremony, which both use a PKCS11KeyGenConfig, which has many of the same fields. I'm truly not sure of the best solution here, and we probably shouldn't proceed until we have thought it through. I'll put my fuller thoughts on that question in the bug, where it's a bit more visible for posterity.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Only supported with the intermediate config and will overwrite any of the pkcs11 signing config values in the yaml file if the creds file path is provided and successfully loaded and parsed
Resolves #8377