Building a Cloud-Native Private CA with OpenSSL and CloudHSM: A Secure, Self-Serve PKI Architecture

This talk presents a scalable framework for deploying an enterprise Private Certificate Authority (CA) using OpenSSL and cloud-based HSMs. We explore a solution that centralizes certificate lifecycle management including issuance, monitoring, and automated expiry alerts while enforcing security through offline key generation with OpenSSL (RSA-2048) and hardware-grade protection via AWS CloudHSM. The design eliminates direct key exposure by leveraging FIPS 140-2 Level 3-validated HSMs and enables self-service workflows with minimal manual intervention. Attendees will learn practical strategies for balancing security, automation, and usability in PKI deployments.