This piece should accept a TLS configuration object and serialize/deserialize it to/from JSON, and should provide a signature generation and verification service to ensure it is trusted and has not been manipulated.
- JSON de/serialization
- Read arbitrary JSON and verify an HMAC/SHA-512 signature before parsing
- Generate a signature over JSON and persist in place
- Derive the signature key from the master key in bootstrap.conf with a one-way transformation (i.e. HMAC/SHA-512("JSON TLS key", MK) -> TLSK)