mTLS with private key in PKCS11 device, possible ?

[fliot]

Hi,

I gone though the Bouncy Castle documentation, found some mention of PKCS11 in the documentation,
But it's not clear this kind of certificate store is really supported.

My objective is to perform mTLS (mutual TLS) communication, with a private key only usable though PKCS11 api(s),

This is something working fine with OpenSSL and PKCS11 engine module, but this is far from c# portable application...

Thanks in advance for your through.
Best regards.

[harrison314]

Yes, it is possible.

I solved this a while ago, so I don't have the sample code anymore and I'm just writing the answer from memory.
You need to implement the TlsCredentialedSigner interface, for example using the Pkcs11Interop library (because BouncyCastle itself doesn't work with pkcs11).