afchine madjlessi wrote:
I plan to setup an OpenCA platform and use openssl-0.9.7 with the CC2000 Bull TrustWay PKCS#11 enable device (see last patch I have submitted to openssl).
I read openssl-dev :)
The cryptographic hardware is used for generate keys, store private keys and accelerate any RSA operations. So, I installed openssl-0.9.7 (with the pkcs#11 engine patch applied), apache-mod_ssl (with a specific patch to work with a pkcs#11 cryptodevice) and openca-0.9.0 on a linux machine. I have some questions:
1- Is it possible to setup ca, ra, and pub on the same server for testing?
Yes.
Yes, see ca.conf (the example is for LunaCA3).2- Is there a way to initialize openca to use an openssl engine, pkcs11 in our case, instead of SSLeay software crypto; and then call openssl with the good parameters (openssl $cmd -engine pkcs11 -keyform e $arg)?
opensslEngine "pkcs11"
opensslEngineArg " -keyform e your_special_engine_args "
## the normal openssl args will be added by OpenCA
HSM_LOGIN_CMD ""
HSM_LOGOUT_CMD ""
HSM_GENKEY_CMD "openssl genrsa -keyform e -engine pkcs11 -out OPENCA_DIR/var/crypto/cakey.pem 1024"
## normally every HSM has a special command to generate a key
## (see LunaCA)
## therefore you have to enter the command seperately from the
## normal openssl configuration
## I would recommend you to generate the key by hand
## we plan a better passphrase and HSM manager for 0.9.2 but
## now you have to live with this provisional solution
You can find some documentation in the OpenCA Guide but we plan to completely rewrite the accesscontrol. Usually roles are only used to generate the certs (because the extensions depends on the role) and the accesscontrol will be configured on the apache.3- Do you have some documentation to explain roles & rights?
Simply take a complete backup or export from OpenCA go into an empty directory and extract it. After this you can see the structure. The structure is really easy to understand and a look in the files show you the details which are simple to (an explanation is more complicated than to look into the files).4- What's the export/import format on the floppy and is it possible to change it?
Simply don't use the links in the CA interface.5- How can I disable HSM login/logout in 0.9.1 ?
Michael
P.S. if you get it working or you have more problems please mail us again. If we implement the new passphrase manager then we need informations about so many HSMs as possible to build a good interface which is easily adaptable to new HSMs.
--
-------------------------------------------------------------------
Michael Bell Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email: [EMAIL PROTECTED]
Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax: +49 (0)30-2093 2959
10099 Berlin
Germany http://www.openca.org
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
