PKCS#11 Integration
PKCS#11 Integration
Section titled “PKCS#11 Integration”Agents allow native tools (e.g., Jarsigner, signtool) to sign using the central platform without transferring private keys. Agents use mTLS and act as a local PKCS#11 provider or remote keystore proxy.
Setup pattern
Section titled “Setup pattern”- Register the agent in the portal and issue an mTLS client certificate.
- Install the agent on a host near the signing tools; configure the PKCS#11 shim to point to the agent.
- Configure tools (example: Java
jarsignerpointing to remote keystore) and perform signing requests transparently.
# Agent exposes a PKCS#11 endpoint at https://agent.local/pkcs11# Configure your PKCS#11 provider to point at the agent (vendor-specific steps)# Use jarsigner with remote keystorejarsigner -keystore https://agent.local -storetype REMOTE -signedjar myapp-signed.jar myapp.jar aliasSecurity notes
Section titled “Security notes”- Ensure agent uses mTLS and runs in a minimal-privilege environment.
- Agents should be registered and monitored; use short-lived credentials and rotate mTLS certs regularly.