On 11/11/2012 11:50 PM, Anthony Foiani wrote:
>> certtool --generate-request --outfile req.pem --load-privkey >> "pkcs11:yyy" --load-pubkey "pkcs11:xxx" >> >> should generate a request from the objects based on a smart card. The >> pkcs11: URLs are obtained using the "p11tool --list-all --login" command. > > Nice -- thank you for the pointer! > > Unfortunately, I don't think this can work with a keypair generated on > the CC-HSM. > First, the public key is only available during the same session that > generates the pair; it disappears after the session disappears. One > can capture the public key at generation time using the instructions > provided by CardContact here: > http://www.opensc-project.org/opensc/wiki/SmartCardHsm#Generatekeypair Ouch. In that case it can be a problem. I'm not aware of a PKCS #11 way to extract the public key from a private key, after its generation. However, with the process use can use the spki file in the command I send before in place of pkcs11:xxx. You may need to use the --inder option if it is in DER format. > Second, the private key is not extractable, so the certtool won't be > able to load it from the card. (Unless "--load-privkey" actually > means "use this privkey, but it's really just a reference to doing it > on the token itself.) --load-privkey does not really load the key. It only uses the private key to sign the request without extracting it. regards, Nikos _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel