All the advantages of cloud-managed public key infrastructure without the need to trust a third party with the private keys for your certificate authority.

Deploy IoT-HSM!


  • Private keys are stored securely on a YubiKey
  • No backups necessary. All state is maintained on the YubiKey
  • Docker container deployment available with SoftHSM2
  • Keys can be generated within the YubiKey or imported to allow for a backup copy
  • Multiple IoT-HSM appliances can be deployed anywhere in the world for redundancy
  • A single appliance can be used with one or more YubiKeys for multiple CAs


IoT-HSM is a lightweight appliance that is deployed to facilitate a persistent connection from your YubiKey to After it's set up, all signing requests are forwarded from to your IoT-HSM to be signed by your YubiKey. All messages sent to and from the IoT-HSM are digitally signed and end-to-end encrypted using SMIME.


Multiple IoT-HSM appliances can be deployed anywhere in the world to respond to signature requests. will automatically route requests to available appliances.


Multiple certificate authorities can coexist on the same appliance using one or more YubiKeys. IoT-HSM can use all of the available slots on the YubiKey to store many certificate authorities. Each will maintain an independent, persistent connection to


All management is performed through an intuitive web interface. When used with YubiKey, no backups are necessary because all of the state is maintained within the YubiKey. A new appliance can be deployed at any time and when the YubiKey is inserted, the appliances will automatically discover all certificate authorities and create persistent connections for each to

Easy to Deploy and Maintain

A Docker container is available, but can only be used with SoftHSM2. It is recommended the container-based IoT-HSM be deployed behind a reverse proxy.