Nikos -- Thanks for the quick reply!
On Sun, Nov 11, 2012 at 12:42 PM, Nikos Mavrogiannopoulos <n.mavrogiannopou...@gmail.com> wrote: > Your question was on openssl, Apologies if it was off-topic; it got to the point where I couldn't tell which component was complaining. Also, my initial goal is to use the token to authenticate data from an embedded instrument; as such, I figured that was more in the opensc world than openssl. (Eventually I'd like to use the token to provide that instrument with a server-side HTTPS certificate as well, which would of course get me back to openssl or similar tool. But that's further down the path.) > but just in case someone is interested. > If you have any recent version of gnutls you could simply do that by > using the PKCS #11 URLs of the objects. That is: > > certtool --generate-request --outfile req.pem --load-privkey > "pkcs11:yyy" --load-pubkey "pkcs11:xxx" > > should generate a request from the objects based on a smart card. The > pkcs11: URLs are obtained using the "p11tool --list-all --login" command. Nice -- thank you for the pointer! Unfortunately, I don't think this can work with a keypair generated on the CC-HSM. First, the public key is only available during the same session that generates the pair; it disappears after the session disappears. One can capture the public key at generation time using the instructions provided by CardContact here: http://www.opensc-project.org/opensc/wiki/SmartCardHsm#Generatekeypair This does work, but it leaves me with a public key in SPKI format, and I'm too ignorant to figure out how to turn that into something that OpenSSL can work with. Second, the private key is not extractable, so the certtool won't be able to load it from the card. (Unless "--load-privkey" actually means "use this privkey, but it's really just a reference to doing it on the token itself.) So far as I know, what I would really like the openssl "req" tool to do is: 1. Read the public key from a given file on the regular OS filesystem [somehow dealing with the SPKI->whatever format issue]; 2. Prompt me for the X.509 request parameters; 3. Construct the X.509 certificate request; 4. Sign that request on the CC-HSM token using the private key on the card; 5. Output the signed CSR onto the regular OS filesystem. But I have not yet figured out the correct incantation for that. Best regards, Anthony Foiani _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel