This section describes the configuration of the GoKeyless service by updating the gokeyless.yaml file with environment-specific parameters, including Cloudflare account details, HSM configuration, and authentication certificate paths.
-
Update the GoKeyless Configuration File. Open the GoKeyless configuration file using the following command.
sudo nano /etc/keyless/gokeyless.yaml
The output is as follows:
# Set the log level (0 = DEBUG, 5 = FATAL).
loglevel: 1
# Hostname must match the key server hostname that was configured in the Cloudflare dashboard during custom certificate upload.
hostname: <your host name>
# Zone ID can be found on the Cloudflare dashboard 'Overview' tab.
zone_id: <your zone ID>
# Origin CA API Key can be found on the Cloudflare dashboard under the 'My Profile' section.
origin_ca_api_key: <your origin CA API key>
# Configure one or more private key directories.
private_key_stores:
- uri: "pkcs11:slot-id=0;object=rsa_private_key;id=%30%31;type=private?module-path=/opt/utimaco/lib/libcs_pkcs11_R3.so&pin-value=Cloud123"
#- dir: /etc/keyless/keys
# Optionally, customize the location of the certificates used for mutual authentication with Cloudflare keyless clients.
auth_cert: /etc/keyless/server.pem
auth_key: /etc/keyless/server-key.pem
auth_csr: /etc/keyless/server.csr
cloudflare_ca_cert: /etc/keyless/keyless_cacert.pem
# Optionally customize the listen ports.
port: 2407
metrics_port: 2406
# Optionally write the PID to a file (note that sysv-based systems will ignore this value and always use /var/run/gokeyless.pid).
pid_file:
-
Save the changes and exit.