About HSM cleanup behavior¶

Firefly generates a new key pair whenever it needs a new Issuer Certificate. Each key pair consumes a portion of the HSM's finite storage, so it is important to remove keys from the HSM when they're no longer needed.

A Firefly instance that is shut down gracefully will automatically remove the key pair it generated from the HSM. If the shutdown is not graceful, Firefly is equipped to help with orphaned keys. A Firefly instance is considered "inactive" if it has not reported statistics to the Venafi Control Plane in more than three days.

Once per day, active Firefly instances will attempt to remove keys from the HSM for inactive Firefly instances that were bootstrapped using the same configuration. The cleanup process uses a randomly generated identifier (UUID) assigned to the CKA_ID attribute for each generated key pair on the HSM device. This identifier is also sent to Venafi Control Plane, creating an association between the identifier and the Firefly instance.

When Firefly requests data for inactive instances from the Venafi Control Plane, it receives the identifier for each inactive instance. Firefly then filters objects on the HSM device using the CKA_ID attribute that matches the identifier value and removes these objects from the HSM.

Related links¶

• Overview of implementing HSM with Firefly
• Setting up a SubCA provider
• Reference: editing the yaml file
• Setting up service accounts
• Setting up CA accounts