Whether this can be done is something you should talk to the vendor of your HSM about. If you're still looking for one to buy, I can confirm that it can be done with nCipher's gear using openssl-engine and some extra binaries they provide, I personally have experience with Solaris and using an HSM protected key. They trick mod_ssl into running with a dummy key, and then openssl engine offloads the key transforms via their CHIL api.
At http://www.ncipher.com/resources/index.html you will find their whitepapers on the subject. I work for an nCipher Solutions partner, so my view here is obviously biased, there are other HSM vendors apparently. -PeterV. Imran Badr wrote: >Engine support inlcudes offloading RSA/DSA operations but I haven't found >any way to notify moddssl that the key is in hardware key storage. Modssl >always looks for disk files for private key and certificate files and I >haven't figured out how to use hardware key storage. Apache will never start >if those files are not in disk. > >Thanks for the reply. >Imran. > > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of Francois Desarmenien >Sent: Saturday, June 08, 2002 5:56 AM >To: [EMAIL PROTECTED] >Subject: Re: Hardware key storage > > >Le Wed, 5 Jun 2002 19:18:26 -0700 >"Imran Badr" <[EMAIL PROTECTED]> a ecrit: > > > >>Hi, >>I am sorry if this question has been asked before in this group. I wanted >> >> >to > > >>find out what would be required to use private keys stored in hardware >> >> >with > > >>apache and modssl ? Modssl code looks for private key file in the host >>machine and calls use_private_key() sort of function of openssl to store >>private key in ssl context. Is it possible to use modssl with apache when >>keys are created in tamper proof hardware and never leaves that? Is there >>any patch to do that? >> >> > >mod_ssl relies on OpenSSL and OpenSSL-engine handles access for some >cryto cards. > >F. >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
