I am new to HSMs. We are looking at AWS CloudHSM OR Thales Luna Cloud HSM as providers. Getting the cert is pretty straightforward, but how to auto-renew? Has someone done this before?
I found these docs, but it looks like there is no tool for automatically requesting SSL cert renewal with AWS, and I would have to write a script for it...? Situation is similar with Thales.
https://aws.amazon.com/blogs/security/using-aws-cloudhsm-backed-certificates-with-microsoft-internet-information-server/ https://docs.aws.amazon.com/cloudhsm/latest/userguide/ssl-offload-enable-traffic-and-verify-certificate-windows.html https://docs.aws.amazon.com/cloudhsm/latest/userguide/key_mgmt_util-reference.html
In this context, a HSM is just secure storage for private (or symmetrical) keys. While the vendor may provide tools for manipulating the keys and even for creating simple certification request or self-signed certificates, these are just for very simple use cases and don't provide any Certificate Lifecycle Management - which seems to be, at a basic level, what you're after.
Your first link shows the certificate being enrolled from a CA. The CA may provide client software which can be installed on the subscriber which may manage enrolment and renewals for you.
For example, if you use a Microsoft CA, then Windows has a built-in client, controlled by group policy, which can automatically renew certificates.
If you use a commercial CA, you will need to investigate what they offer. They may have a client which you can install to manage the certificates. Alternatively, there are standard protocols, such as ACME, CMC, CMP, EST or SCEP which these CAs may be able to work with. You'll then need to install clients for those protocols on your server.