Keyless SSL
A TLS architecture where the CDN edge handles encryption but never possesses the customer's private key. The key stays on the customer's infrastructure, and the edge proxies only the key operation.
Full Explanation
Keyless SSL solves a trust problem. To terminate TLS, a CDN needs access to your private key. For banks, healthcare companies, and governments, handing private keys to a third party is a non-starter, no matter how many compliance certifications the CDN has. Keyless SSL splits the TLS handshake so the CDN edge handles everything except the private key operation.
Here's how the architecture works. During a TLS handshake, there's one step that requires the private key: either decrypting the pre-master secret (RSA key exchange) or signing the handshake parameters (ECDHE). In Keyless SSL, when the edge reaches this step, it sends a request to a "key server" running on the customer's infrastructure. The key server performs the private key operation and returns the result. The edge then completes the handshake with the client. The private key never leaves the customer's premises.
Cloudflare pioneered Keyless SSL in 2014, and it remains the most widely known implementation. The protocol between edge and key server is a simple binary format over a mutually authenticated TLS connection. The key server is open source, and customers run it on their own hardware or HSM (Hardware Security Module).
The performance trade-off is real but manageable. Every new TLS handshake requires a round trip to the key server. If the key server is in New York and the CDN edge is in Singapore, that adds 200-300ms to the initial connection. But TLS session resumption (session tickets, PSK) eliminates the key server round trip for returning visitors. In practice, only the first connection to a given edge pays the latency cost.
Forward secrecy with ECDHE changes the calculus. With ECDHE key exchange, the key server only signs the handshake parameters. It doesn't handle any data decryption. This means even if someone compromises the key server later, they can't decrypt previously recorded traffic. The one-time signing operation is also fast, typically under 5ms on the key server side.
Some organizations go further and put their key server behind an HSM. The private key lives inside tamper-resistant hardware that never exports it. The HSM performs the cryptographic operation and returns the result. This provides the highest level of key protection while still allowing CDN edge termination.
Beyond Keyless SSL, the industry is moving toward delegated credentials (IETF draft). Instead of proxying key operations in real time, the origin issues short-lived (hours) signing credentials to the CDN. The CDN uses these credentials directly for TLS handshakes, eliminating the real-time round trip while limiting exposure if a credential is compromised.
Examples
# Keyless SSL handshake flow (text diagram)
#
# Client CDN Edge Key Server (Customer)
# |---ClientHello--->| |
# |<--ServerHello----| |
# |<--Certificate----| |
# |---KeyExchange--->| |
# | |---Sign request---->|
# | |<--Signature--------| (private key op)
# |<--Finished-------| |
# |---Finished------>| |
# |<====Encrypted data flows============>|
# Install Cloudflare's open-source key server (gokeyless)
git clone https://github.com/cloudflare/gokeyless.git
cd gokeyless && make
# Key server configuration
# /etc/keyless/gokeyless.yaml
private_key_dirs:
- /etc/keyless/keys
metrics_addr: localhost:2408
# Deploy key server with private key
cp your-private-key.pem /etc/keyless/keys/
systemctl start gokeyless
# Verify key server is responding
curl -s http://localhost:2408/metrics | grep keyless
# keyless_sign_requests_total 42
# keyless_sign_request_duration_seconds{quantile="0.5"} 0.002
# TLS session resumption avoids key server round trip
openssl s_client -connect example.com:443 \
-sess_out /tmp/tls_session
openssl s_client -connect example.com:443 \
-sess_in /tmp/tls_session
# Second connection: "Reused, TLSv1.3" (no key server hit)Frequently Asked Questions
A TLS architecture where the CDN edge handles encryption but never possesses the customer's private key. The key stays on the customer's infrastructure, and the edge proxies only the key operation.
# Keyless SSL handshake flow (text diagram)
#
# Client CDN Edge Key Server (Customer)
# |---ClientHello--->| |
# |<--ServerHello----| |
# |<--Certificate----| |
# |---KeyExchange--->| |
# | |---Sign request---->|
# | |<--Signature--------| (private key op)
# |<--Finished-------| |
# |---Finished------>| |
# |<====Encrypted data flows============>|
# Install Cloudflare's open-source key server (gokeyless)
git clone https://github.com/cloudflare/gokeyless.git
cd gokeyless && make
# Key server configuration
# /etc/keyless/gokeyless.yaml
private_key_dirs:
- /etc/keyless/keys
metrics_addr: localhost:2408
# Deploy key server with private key
cp your-private-key.pem /etc/keyless/keys/
systemctl start gokeyless
# Verify key server is responding
curl -s http://localhost:2408/metrics | grep keyless
# keyless_sign_requests_total 42
# keyless_sign_request_duration_seconds{quantile="0.5"} 0.002
# TLS session resumption avoids key server round trip
openssl s_client -connect example.com:443 \
-sess_out /tmp/tls_session
openssl s_client -connect example.com:443 \
-sess_in /tmp/tls_session
# Second connection: "Reused, TLSv1.3" (no key server hit)Related CDN concepts include:
- TLS (Transport Layer Security) (TLS) — The encryption protocol that secures HTTPS connections. TLS encrypts data in transit between client and …
- ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) (ECDHE) — A key exchange algorithm used in TLS that provides forward secrecy using elliptic curve cryptography. …
- ECDSA (Elliptic Curve Digital Signature Algorithm) (ECDSA) — A digital signature algorithm using elliptic curve cryptography for TLS certificate authentication. Produces smaller, faster …