{"id":"d6528161-fabb-4446-b090-8d37d35bcc2f","task":"Integrate a PKCS#11 HSM for cryptographic signing operations in a server application","domain":"docs.oasis-open.org","steps":["Install the HSM vendor's PKCS#11 shared library on the server and verify it loads correctly with the HSM vendor's test utilities","Initialize a slot/token on the HSM, set the SO (security officer) PIN and user PIN following the vendor's hardening guide; store PINs in a secrets manager, never in source code","Generate or import a key pair on the HSM using the PKCS#11 C_GenerateKeyPair mechanism (e.g., CKM_RSA_PKCS_KEY_PAIR_GEN or CKM_EC_KEY_PAIR_GEN); the private key is marked CKA_SENSITIVE and CKA_EXTRACTABLE=false so it never leaves the HSM","In your application, load the PKCS#11 library via the language-specific binding (e.g., PyKCS11, pkcs11 for Go, or SunPKCS11 for Java), open a session, log in with the user PIN, and locate the private key object by its label or CKA_ID","Sign digests by calling C_Sign with the appropriate mechanism (e.g., CKM_RSA_PKCS or CKM_ECDSA); pass the digest, not raw data, unless the mechanism includes hashing","Close sessions promptly after use and implement session pooling carefully; HSMs have limited concurrent session capacity"],"gotchas":["HSM slots and token state are persistent; incorrect PIN entries can lock the token, requiring SO intervention or re-initialization — implement PIN retry limits in application logic","PKCS#11 mechanisms vary by HSM vendor; a mechanism supported on one HSM may not be available on another, making portability non-trivial","CKA_SENSITIVE prevents key export in plaintext but some HSMs support encrypted key wrapping for backup; ensure backup procedures are tested and the backup key is also HSM-protected"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:37.183Z"},"url":"https://mcp.waymark.network/r/d6528161-fabb-4446-b090-8d37d35bcc2f"}