Hi all. I'm now looking at another issue. Having stored "enough" certs on card, I'm now trying to push it to the limit.
Seems that openssh can't be told which key to use, but that's not OpenSC related (unless someone here knows how to do it). So falling back to pam_pkcs11 and CA handling. I've found a lot of tutorials to use openssl to generate self-signed certs (OK for my root CA), but couldn't find one where the signature is done by the card. Even on http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart seems openssl requires read access to the secret key, actually "banning" keys generated on-card: $ openssl req -config openssl.conf -engine pkcs11 -new -key 10 -keyform engine -out req.pem -text -x509 -subj "/CN=csshl.org Root CA" engine "pkcs11" set. Invalid slot number: 0 PKCS11_get_private_key returned NULL cannot load Private Key from engine 3075466888:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: unable to load Private Key Any hint on how to instruct openssl to use the card to sign? And on a related issue (step 2), can the public key be removed after loading the cert? Tks! BYtE! _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel