Introduction to PKCS#11

The Public-Key Cryptography Standards (PKCS) are specifications produced in cooperation between secure systems developers for the purpose of accelerating the deployment of public-key cryptography.

PKCS #11 - the Cryptographic Token Interface Standard - specifies an Application Programming Interface (API) to devices, which hold cryptographic information (such as keys and certificates) and perform cryptographic functions.

Slots

The standard divides a device into "slots", in which cryptographic functionality can be accessed and information can be stored.

Objects

Information is stored as objects. The objects may be of various kinds: private or public keys, certificates, or other kinds of data objects.

Attributes

Along with the data itself, the objects may have "attributes" that modify for example the accessibility of the object or its exportability out of the (hardware) slot. "CKA_ID" is another example of attribute, which is used to separate multiple public/private key pairs inside the same slot.

By using PKCS #11, Nexus OCSP Responder can access hardware security modules (HSMs) from multiple vendors simultaneously, as well as software tokens stored in the built-in Cryptographic Library.