Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Azure Managed HSM

This tutorial uses Microsoft Azure’s Managed HSM — a FIPS 140-2 Level 3 certified implementation — to deploy a VM with the Keyless SSL daemon.


​​ Before you start

Make sure you have:


​​ 1. Create a VM

Create a VM where you will deploy the keyless daemon.


​​ 2. Deploy the keyless server

Follow these instructions to deploy your keyless server.


​​ 3. Set up the Azure CLI

Set up the Azure CLI (used to access the private key).

For example, if you were using macOS:

brew install azure-cli

​​ 4. Set up the Managed HSM

  1. Log in through the Azure CLI and create a resource group for the Managed HSM in one of the supported regions:

        $ az login
        $ az group create --name HSMgroup --location southcentralus
    
     
  2. Create, provision, and activate the HSM.

  3. Add your private key to the keyvault, which returns the URI you need for Step 4:

    $ az keyvault key import --hsm-name "KeylessHSM" --name "hsm-pub-keyless" --pem-file server.key
    
  4. If the key server is running in an Azure VM in the same account, use Managed services for authorization:

    1. Enable managed services on the VM in the UI.

    2. Give your service user (associated with your VM) HSM sign permissions

      $ az keyvault role assignment create  --hsm-name KeylessHSM --assignee $(az vm identity show --name "hsmtestvm" --resource-group "HSMgroup" --query principalId -o tsv) --scope / --role "Managed HSM Crypto User"
      
  5. In the gokeyless YAML file, add the URI from Step 2 under private_key_stores. See our README for an example.

​​ 5. Restart gokeyless

Once you save the config file, restart gokeyless and verify that it started successfully:

$ sudo systemctl restart gokeyless.service
$ sudo systemctl status gokeyless.service -l