Keyless has been tested on
arm architectures. With the exception of HSM integrations, which have only been tested on
amd64, the key server binary will likely run on all [architectures that Go supports](Code support may exist for other CPUs due to ); however, these other architectures have not been tested.
In addition to running on bare metal, the key server should run without issue in a virtualized or containerized environment. Care will need to be taken to configure i) ingress access to the appropriate TCP port; ii) egress access to a non-locally attached HSM (if being used); and iii) file system access to private keys (if filesystem storage is being used).
You will need to be running a supported operating system (OS) to run Keyless. Supported operating systems include:
We strongly recommend that you use an operating system still supported by the vendor (i.e., one that receives security updates) as your key server will have access to your private keys.
Note: You will need to create a public DNS record for your key server. If you are using Cloudflare, this record cannot yet be orange clouded. As a security measure, you should obfuscate the hostname of your key server.
openssl rand 24 -hexto generate a long, random hostname such as
Before your key server(s) can be configured, you must next upload the corresponding SSL certificates to Cloudflare’s edge. During TLS termination, Cloudflare will present these certificates to connecting browsers and then (for non-resumed sessions) communicate with the specified key server to complete the handshake.
It is recommended that you upload certificates to Cloudflare with only SANs that you wish to use with Cloudflare Keyless SSL. All hostnames you wish to use with Keyless SSL must be "orange clouded" (proxied) on Cloudflare.
For each certificate you wish to use with Keyless SSL:
Log in to the Cloudflare dashboard and select your zone.
Navigate to the Crypto app.
|Key server label||Any unique identifier for your key server||"test-keyless", "production-keyless-1"|
|Key server hostname||The hostname of your key server that holds the key for this certificate (i.e., the random hostname generated earlier)||11aa40b4a5db06d4889e48e2f738950ddfa50b7349d09b5f.example.com|
|Key server port||Set to 2407 unless you have changed this on the key server||2407|
|SSL Certificate||The valid X509v3 SSL certificate (in PEM form) for which you hold the private key.||(PEM bytes)|
|Bundle method||This should almost always be Compatible. See Uploading Custom Certificates for more details||Compatible|
The final step in deploying Cloudflare’s Keyless SSL technology is installing the key server on your infrastructure, populating it with the SSL keys of the certificates you wish to use to terminate TLS at Cloudflare’s edge, and activating the key server so it can be mutually authenticated.
sudo sed -i 's/$releasever/6/' /etc/yum.repos.d/cloudflare.repo
sudo sed -i 's/$releasever/7/' /etc/yum.repos.d/cloudflare.repo
sudo apt-get install gokeyless
sudo yum install gokeyless
sudo yum install rsyslog shadow-utils && sudo yum install gokeyless
Add your Cloudflare account details to the configuration file located at
Install your private keys in
/etc/keyless/keys/ and set the user and group to keyless with 400 permissions. Keys must be in PEM or DER format and have an extension of
$ ls -l /etc/keyless/keys -r-------- 1 keyless keyless 1675 Nov 18 16:44 example.com.key
Note: when running multiple key servers, you must make sure that all required keys are distributed to each key server. Customers typically will either use a configuration management tool such as Salt, Puppet, etc. to distribute keys or mount
/etc/keyless/keys to a network location that is accessible only by your key servers. Keys are read on boot into memory, so if using a network path it must be accessible during the gokeyless process start/restart.
Alternatively, see here if your keys are stored in a hardware security module.
Restart your keyless instance:
sudo service gokeyless restart
sudo /etc/init.d/gokeyless restart
If this command fails, try troubleshooting by checking the logs.
During TLS handshakes, Cloudflare’s keyless client will initiate connections to the key server hostname or IP address you specify during certificate upload. By default, the keyless client will use a destination TCP port of 2407, but this can be changed during certificate upload or by editing the certificate details after upload.
Create firewall rules that allow your key server to accept connections from only Cloudflare. We publish our IPv4 and IPv6 addresses via our API.