When multiple key rings are supplied using the config defined via KMS_PKCS11_CONFIG, the pkcs11-tool --module /usr/local/lib/kms/libkmsp11.so --list-slots command returns multiple slots with the same serial number "0000000000000000"
Available slots:
Slot 0 (0x0): A virtual slot mapped to a key ring in Google Cloud KMS
token label :
token manufacturer : Google
token model : Cloud KMS Token
token flags : rng, SO PIN locked, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 0000000000000000
pin min/max : 0/0
uri : pkcs11:model=Cloud%20KMS%20Token;manufacturer=Google;serial=0000000000000000;token=
Slot 1 (0x1): A virtual slot mapped to a key ring in Google Cloud KMS
token label :
token manufacturer : Google
token model : Cloud KMS Token
token flags : rng, SO PIN locked, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 0000000000000000
pin min/max : 0/0
uri : pkcs11:model=Cloud%20KMS%20Token;manufacturer=Google;serial=0000000000000000;token=
The serial is often used in the PKCS#11 URI to reference a key. Without a unique serial for each, how can we distinguish between the slots? See example OpenSSL command below. Thank you!
openssl ca -in csr.req -config openssl.cnf -create_serial -policy signing_policy -batch -notext -utf8 -keyfile pkcs11:serial=0000000000000000;objectid=iothsmkey1;type=private -subj /CN=test.com/C=US -startdate 20251126202916Z -enddate 20251226203416Z -passin stdin -in csr.req
When multiple key rings are supplied using the config defined via
KMS_PKCS11_CONFIG, thepkcs11-tool --module /usr/local/lib/kms/libkmsp11.so --list-slotscommand returns multiple slots with the same serial number "0000000000000000"The serial is often used in the PKCS#11 URI to reference a key. Without a unique serial for each, how can we distinguish between the slots? See example OpenSSL command below. Thank you!