On Jan 7, 2011, at 7:25 PM, Anders Rundgren wrote: > Slightly off-topic but I guess some of you guys have more insight in > HSMs than most other people have :-) > > In a recent project there were a requirement for frequent and *automated* > renewals of certificates. The renewal procedure is based on creating > a self-signed request which is then signed by the original key. self-signed requests signed by which original key? The key that gets replaced?
> It appears that the new key cannot (for a *remote* CA) be guaranteed to > have been created and residing in the HSM which means that even if you > use a rigorous "key ceremony" for the initial key you will almost be down at > the "soft token" level after the very first renewal :-) > > Comments? I don't quite follow the problem. Could you write it out with more details, more precisely keys and certificates that are used ? -- @MartinPaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel