Skip to content

[SSL] Add Securosys HSM guide for Keyless SSL#32097

Open
msteffen29 wants to merge 1 commit into
cloudflare:productionfrom
msteffen29:ssl-securosys-hsm
Open

[SSL] Add Securosys HSM guide for Keyless SSL#32097
msteffen29 wants to merge 1 commit into
cloudflare:productionfrom
msteffen29:ssl-securosys-hsm

Conversation

@msteffen29

Copy link
Copy Markdown

Summary

Adds a new Keyless SSL hardware security module guide for Securosys (CloudHSM and on-premise Primus HSM), mirroring the structure of the existing per-vendor HSM pages (for example, AWS CloudHSM and Google Cloud HSM).

Changes

  • New page: ssl/keyless-ssl/hardware-security-modules/securosys-hsm.mdx
  • Linked the new page from the HSM index.mdx "cloud HSM offerings" list

Why

Securosys supports Cloudflare Keyless SSL via PKCS#11, but there was no dedicated guide in the Cloudflare Docs. Content is adapted from the Securosys installation documentation and reformatted to match the Cloudflare Docs style and components.

Notes for reviewers

  • Uses the <Tabs> component for the Cloud vs. on-premise HSM choice.
  • External links point to Securosys documentation; internal links use relative paths.

@msteffen29
msteffen29 requested review from a team, baubuchon-cf and elithrar as code owners July 15, 2026 23:19
@github-actions github-actions Bot added the product:ssl Related to SSL label Jul 15, 2026
@cloudflare-docs-bot

cloudflare-docs-bot Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review

⚠️ 2 warnings, 💡 1 suggestion found in commit 457a4d4.

Fix in your agent
Fix the following review findings in PR #32097 (https://github.com/cloudflare/cloudflare-docs/pull/32097).

Before making changes, review each finding and present a brief summary table:
- For each finding, state whether you agree, disagree, or need clarification
- If you disagree (e.g. the fix requires disproportionate effort for minimal benefit,
  or the finding is factually incorrect), explain why
- If you need clarification before deciding, ask those questions
- Then share your plan for which issues to tackle and in what order

After triaging, fix all legitimate findings. For any you decide to skip,
post a comment on this PR with the finding ID and your reasoning.

---

## Code Review

### Warnings (1)

#### CR-12c8994834b3 · Credential stored in plaintext config
- **File:** `src/content/docs/ssl/keyless-ssl/hardware-security-modules/securosys-hsm.mdx` line 115
- **Issue:** The guide tells the user to set the HSM PIN in `pkcs11:...&pin-value=<password>` inside `/etc/keyless/gokeyless.yaml`, and line 121 instructs replacing the placeholder with the actual PIN. This writes a sensitive credential into a static config file.
- **Fix:** If gokeyless supports a PIN sourced from a file, environment variable, or other secrets mechanism, use that instead. Otherwise, explicitly restrict `/etc/keyless/gokeyless.yaml` permissions to the `keyless` user and warn about the credential exposure risk.

### Suggestions (1)

#### CR-a70776db03c2 · YAML list item indentation missing
- **File:** `src/content/docs/ssl/keyless-ssl/hardware-security-modules/securosys-hsm.mdx` line 115
- **Issue:** The example snippet shows `- uri: pkcs11:...` at column 0, but it must be a sibling of `- dir: /etc/keyless/keys` under `private_key_stores:`, which is indented two spaces in the preceding snippet.
- **Fix:** Indent the `- uri:` line by two spaces in the snippet so it lines up with `- dir: /etc/keyless/keys`, or add a note telling the user to preserve indentation when inserting the line.

---

## Style Guide Review

### Warnings (1)

#### SG-9dc597d64e2d · Validated frontmatter tags
- **File:** `src/content/docs/ssl/keyless-ssl/hardware-security-modules/securosys-hsm.mdx` line 10
- **Issue:** Tag "Securosys" is not among the common validated tags listed in the style guide.
- **Fix:** Use a validated tag from src/schemas/tags.ts or remove the tag if it is not allowed.

Code Review

This code review is in beta and may not always be helpful — use your judgment.

Warnings (1)
File Issue
ssl/keyless-ssl/hardware-security-modules/securosys-hsm.mdx line 115 Credential stored in plaintext config — The guide tells the user to set the HSM PIN in pkcs11:...&pin-value=<password> inside /etc/keyless/gokeyless.yaml, and line 121 instructs replacing the placeholder with the actual PIN. This writes a sensitive credential into a static config file. Fix: If gokeyless supports a PIN sourced from a file, environment variable, or other secrets mechanism, use that instead. Otherwise, explicitly restrict /etc/keyless/gokeyless.yaml permissions to the keyless user and warn about the credential exposure risk.
Suggestions (1)
File Issue
ssl/keyless-ssl/hardware-security-modules/securosys-hsm.mdx line 115 YAML list item indentation missing — The example snippet shows - uri: pkcs11:... at column 0, but it must be a sibling of - dir: /etc/keyless/keys under private_key_stores:, which is indented two spaces in the preceding snippet. Fix: Indent the - uri: line by two spaces in the snippet so it lines up with - dir: /etc/keyless/keys, or add a note telling the user to preserve indentation when inserting the line.

Conventions

No convention issues found.

Style Guide Review

Warnings (1)
File Issue
ssl/keyless-ssl/hardware-security-modules/securosys-hsm.mdx line 10 Validated frontmatter tags — Tag "Securosys" is not among the common validated tags listed in the style guide. Fix: Use a validated tag from src/schemas/tags.ts or remove the tag if it is not allowed.
Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command Description
/review Runs a review now. Incremental if a prior review exists, full if not.
/full-review Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.
/ignore-review-limit Permanently lifts the 2-review automatic limit for this PR. Future pushes will trigger reviews as normal.
/disable-auto-review Stops automatic reviews from triggering on future pushes to this PR. Codeowners can still run /review or /full-review manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

product:ssl Related to SSL size/m

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants