[SSL] Add Securosys HSM guide for Keyless SSL#32097
Open
msteffen29 wants to merge 1 commit into
Open
Conversation
msteffen29
requested review from
a team,
baubuchon-cf and
elithrar
as code owners
July 15, 2026 23:19
Contributor
Review
Fix in your agentFix the following review findings in PR #32097 (https://github.com/cloudflare/cloudflare-docs/pull/32097).
Before making changes, review each finding and present a brief summary table:
- For each finding, state whether you agree, disagree, or need clarification
- If you disagree (e.g. the fix requires disproportionate effort for minimal benefit,
or the finding is factually incorrect), explain why
- If you need clarification before deciding, ask those questions
- Then share your plan for which issues to tackle and in what order
After triaging, fix all legitimate findings. For any you decide to skip,
post a comment on this PR with the finding ID and your reasoning.
---
## Code Review
### Warnings (1)
#### CR-12c8994834b3 · Credential stored in plaintext config
- **File:** `src/content/docs/ssl/keyless-ssl/hardware-security-modules/securosys-hsm.mdx` line 115
- **Issue:** The guide tells the user to set the HSM PIN in `pkcs11:...&pin-value=<password>` inside `/etc/keyless/gokeyless.yaml`, and line 121 instructs replacing the placeholder with the actual PIN. This writes a sensitive credential into a static config file.
- **Fix:** If gokeyless supports a PIN sourced from a file, environment variable, or other secrets mechanism, use that instead. Otherwise, explicitly restrict `/etc/keyless/gokeyless.yaml` permissions to the `keyless` user and warn about the credential exposure risk.
### Suggestions (1)
#### CR-a70776db03c2 · YAML list item indentation missing
- **File:** `src/content/docs/ssl/keyless-ssl/hardware-security-modules/securosys-hsm.mdx` line 115
- **Issue:** The example snippet shows `- uri: pkcs11:...` at column 0, but it must be a sibling of `- dir: /etc/keyless/keys` under `private_key_stores:`, which is indented two spaces in the preceding snippet.
- **Fix:** Indent the `- uri:` line by two spaces in the snippet so it lines up with `- dir: /etc/keyless/keys`, or add a note telling the user to preserve indentation when inserting the line.
---
## Style Guide Review
### Warnings (1)
#### SG-9dc597d64e2d · Validated frontmatter tags
- **File:** `src/content/docs/ssl/keyless-ssl/hardware-security-modules/securosys-hsm.mdx` line 10
- **Issue:** Tag "Securosys" is not among the common validated tags listed in the style guide.
- **Fix:** Use a validated tag from src/schemas/tags.ts or remove the tag if it is not allowed.
Code ReviewThis code review is in beta and may not always be helpful — use your judgment. Warnings (1)
Suggestions (1)
ConventionsNo convention issues found. Style Guide ReviewWarnings (1)
CommandsOnly codeowners can run commands. Post a comment with the command to trigger it.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new Keyless SSL hardware security module guide for Securosys (CloudHSM and on-premise Primus HSM), mirroring the structure of the existing per-vendor HSM pages (for example, AWS CloudHSM and Google Cloud HSM).
Changes
ssl/keyless-ssl/hardware-security-modules/securosys-hsm.mdxindex.mdx"cloud HSM offerings" listWhy
Securosys supports Cloudflare Keyless SSL via PKCS#11, but there was no dedicated guide in the Cloudflare Docs. Content is adapted from the Securosys installation documentation and reformatted to match the Cloudflare Docs style and components.
Notes for reviewers
<Tabs>component for the Cloud vs. on-premise HSM choice.