This guide describes how to integrate a Utimaco u.trust GP HSM with Cloudflare Keyless SSL. The Utimaco HSM securely stores the private key used for TLS/SSL and performs all cryptographic signing operations within the hardware, ensuring that the private key never leaves the HSM. Cloudflare Keyless SSL enables secure delivery of web traffic through Cloudflare’s global network while allowing the private key to remain under the customer’s control.
In this integration, Cloudflare handles the majority of the TLS handshake at the edge. Whenever a private key operation is required, Cloudflare securely forwards the request to a customer-managed key server running the GoKeyless service. This service interacts with the Utimaco HSM via the PKCS#11 interface to perform cryptographic operations such as signing. This approach ensures that sensitive key material is protected within the HSM at all times, while still leveraging Cloudflare’s CDN, DDoS protection, and performance optimizations.