On 17/02/2011 22:55, Andreas Jellinghaus wrote: > no, that wiki page is correct and works for me - done it a hundred times. > it uses the key on the card, and the card does the signature (you cannot > read the private key, a smart card won't ever give it to you). Yup. That's why keys are generated on card :)
> so maybe "10" is the wrong key id or something like that? I generated it with $ pkcs15-init -G rsa/2048 -a 3 --id 10 -l "Root CA" and "pkcs15-tool -k" shows, amongt others: Private RSA Key [Root CA] Object Flags : [0x3], private, modifiable Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 8 Native : yes Path : 3f0050154b08 Auth ID : 03 ID : 10 So it seems correct. *But* if I specify a slot too, it asks me for a PIN. Too bad *none* of the PINs I created works: $ openssl req -days 3650 -new -out rootca.csshl.org.csr -config openssl.conf -engine pkcs11 -keyform engine -key 1:10 -sha1 engine "pkcs11" set. PKCS#11 token PIN: Login failed PKCS11_get_private_key returned NULL cannot load Private Key from engine 3074688648:error:800050A4:Vendor defined:PKCS11_login:PIN locked:p11_slot.c:157: 3074688648:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: unable to load Private Key I obviously tried all the PINs (included SOPIN). The strange thing is that NO PIN is locked after all the tries I did... Any hint about where to bang my head? Tks! BYtE! _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel