PKCS#11 is an interface that enables
an LDAP user to use crypto hardware. By using PKCS#11,
an LDAP user can use the crypto hardware to securely store the key
database file and accelerate cryptographic operations.
You can use
PKCS#11 interface to configure the
following types of crypto devices.
- Accelerators
- These devices are connected to the host by a permanent connection
such as a card slot or a LAN connection. The primary purpose of an
accelerator is to increase the number of cryptographic operations
per second for a server. Private key storage is maintained in an SSL
KDB (Key Database) file, which is loaded into the accelerator as needed.
This type of device must be considered for use when the objective
is to increase the number of cryptographic operations only. Stronger
hardware protection of the server's private key is not a concern.
- Key storage with accelerators
- These devices are primarily for server applications where cryptographic
performance is an issue and stringent security of the server's private
key is also essential. The private key and certificate are stored
on the device. If a cryptographic operation requires use of the private
key, the hardware device uses the key locally on the adapter. The
application can never access the key in an unencrypted format. These
devices usually employ tamper-resistant procedures to protect external
access to the key.