I’m exhausted after looking for an answer for 3 days. I don’t know if my suggested flow is wrong or my Google skills have really deteriorated.
My API needs to create a valid certificate from a CSR it received, by signing it with a private key that exists ONLY inside an HSM-like service (Azure KeyVault), which unfortunately doesn’t offer Certificate Authority functions BUT does offer signing data with a key that exists there. My CA certificate’s private key is stored in the HSM. I’m using ECDSA.
My suggested flow:
- Client generates Key Pair + CSR and sends CSR to API
- API creates a certificate from the CSR
- API asks HSM to sign the CSR data and receives back a signature
- API appends the signature to the certificate and returns a signed (and including CA in chain) certificate to the Client
I’m using C# .NET Core and would like to keep it cross-platform (as it runs in Linux containers), so I have to keep it as native as possible or using Bouncy Castle (which I’m still not sure if runs in Linux .NET Core).
I really appreciate your help!