Day 21: Phase 5 Final Challenge — hsm-demo + acm-pca-design.md

Phase 5 · September 15, 2026

Agenda (3 hours)

• Complete hsm-demo (90 min): All 5 subcommands working, code clean
• Finalize acm-pca-design.md (60 min): All 6 sections complete
• Phase 5 reflection (30 min): What changed in your mental model?

hsm-demo Final Binary Spec

hsm-demo
├── list-slots     -- List PKCS#11 slots and token info (Day 3)
├── generate-key   -- Generate ECDSA P-256 key pair in SoftHSM2 (Day 3)
├── sign           -- Sign data with HSM-bound private key (Day 4)
├── verify         -- Verify signature using exported public key (Day 4)
└── key-ceremony   -- Simulate offline root CA key ceremony (Day 5)

Run against SoftHSM2 in development.
All subcommands must compile on stable Rust.

Final Binary: Cargo.toml

[package]
name = "hsm-demo"
version = "0.1.0"
edition = "2021"

[dependencies]
cryptoki  = "0.7"
clap      = { version = "4", features = ["derive"] }
hex       = "0.4"
sha2      = "0.10"
p256      = "0.13"
anyhow    = "1"
rcgen     = "0.13"    # for key-ceremony cert generation
pem       = "3"

[dev-dependencies]
tempfile  = "3"

Integration Test: Key Lifecycle

# Full end-to-end test
softhsm2-util --init-token --slot 0 --label "final-test" \
  --so-pin 12345678 --pin 123456

cargo run -- list-slots
# Expected: slot 0, label "final-test", initialized

cargo run -- key-ceremony
# Expected: [Step 1-4] output; root-ca-key generated

cargo run -- generate-key --label service-key
# Expected: "Generated ECDSA P-256 key pair, label: service-key"

SIG=$(cargo run -- sign --label service-key --data "hello cert world" | grep "Signature:" | awk '{print $2}')
cargo run -- verify --label service-key --data "hello cert world" --sig $SIG
# Expected: "Signature verified OK"

cargo run -- verify --label service-key --data "tampered data" --sig $SIG
# Expected: error (signature verification failed)

acm-pca-design.md Completion Checklist

• [ ] §0 Key Custody Model — hierarchy; root decision; blast radius
• [ ] §1 CA Hierarchy Design — 3 tiers; validity; cost estimate
• [ ] §2 Certificate Templates — table with all cert types
• [ ] §3 Issuance API Flow — sequence diagram; idempotency; error handling
• [ ] §4 Revocation + Audit — CRL config; OCSP decision; serial tracking; audit pipeline
• [ ] §5 Failure Mode Analysis — 5+ modes; monitoring; runbooks; multi-account; cost model
• [ ] §6 Integration with Provisioning Service — end-to-end flow; IAM; DynamoDB schema; SPIRE integration; recommendation

Final check: could you present §6 in a 10-minute design discussion with your team?

Phase 5 in One Sentence Per Week

Complete these:

• Week 1: "An HSM protects CA private keys by _______________, and PKCS#11 lets software _______________."

• Week 2: "ACM PCA manages the CA hierarchy by _______________, and my provisioning service calls _______________ to issue a device certificate."

• Week 3: "The biggest operational risk for my CA hierarchy is _______________, and the mitigation is _______________."

Phase 5 Reflection

Four questions — write answers anywhere. They calibrate Phase 6.

1. What was most surprising about HSMs or ACM PCA?

2. What is still fuzzy? (one concept you couldn't confidently explain to a colleague)

3. How does this change your mental model of the provisioning service?
   (Compared to Phase 4: you now understand both identity and key protection)

4. What's the single most valuable thing you'd bring back to your team?
   (A CA hierarchy proposal? A cost analysis? A SPIRE + ACM PCA integration plan?)

What You've Built: Phase 5 Deliverables

mob_learning/
├── hsm-demo/                      ← Rust binary: PKCS#11 via SoftHSM2
│   └── src/                       ← slots.rs, keygen.rs, sign.rs, verify.rs, ceremony.rs
└── acm-pca-design.md              ← 6-section architecture document

hsm-demo proves you can work with PKCS#11 at the library level —
the same code runs against CloudHSM with only a library path change.

acm-pca-design.md proves you can design a production CA architecture —
key hierarchy, issuance API, revocation, audit, failure modes, and integration.

Looking Ahead: Phase 6 (Sep 17 – Sep 30)

Integration Project: Mock Provisioning Service

You now understand:

• Phase 1: TLS 1.3 + X.509 fundamentals
• Phase 2: Building a CA in Rust
• Phase 3: Post-quantum cryptography
• Phase 4: SPIFFE/SPIRE + workload identity
• Phase 5: HSM + AWS Private CA

Phase 6 puts it all together:
build a small Rust service that mimics your team's actual provisioning work —
accepting cert requests, calling a CA, storing state, applying mTLS.

This is where the learning becomes a prototype you can actually show your team.

Resources

• Your hsm-demo code from Days 3–5
• cryptoki examples: github.com/parallaxsecond/rust-cryptoki
• SoftHSM2: github.com/opendnssec/SoftHSMv2
• ACM PCA User Guide: docs.aws.amazon.com/privateca/latest/userguide
• aws-sdk-acmpca Rust crate: docs.rs/aws-sdk-acmpca