Certificate signing with etoken / pkcs11_engine / opensc

Wed, 19 Jul 2006 01:32:33 -0700 

Hi

i have the following environement:
- openssl 9.8.a
- openct/opensc/pkcs11_engine
- etoken USB Pro 64
- Fedora Core 5

My Target is to setup a small PKI using openssl ca and to use the etoken to host
the root private key.

So i have initialize the token:
$ opensc-tool --list-reader
Readers known about:
Nr.    Driver     Name
0      openct     Aladdin eToken PRO 64k
1      openct     OpenCT reader (detached)
2      openct     OpenCT reader (detached)
3      openct     OpenCT reader (detached)
4      openct     OpenCT reader (detached)
$ pkcs15-init --create-pkcs15
$ pkcs15-init --store-pin --auth-id 01 --label "xxx"
$ pkcs15-init --store-private-key key.pem --id 45 --auth-id 01
$ pkcs15-tool --list-keys -auth-id 01
Private RSA Key [Private Key]
        Com. Flags  : 3
        Usage       : [0x4], sign
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength   : 2048
        Key ref     : 16
        Native      : yes
        Path        : 3f005015
        Auth ID     : 01
        ID          : 45

I have build a CSR using the req command of openssl

Then i try to sign this CSR using the private key inside the otken
$ openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so

(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine

OpenSSL> ca -engine pkcs11 -key id_45 -in req.pem -out cert.pem -config
tools/conf/openssl.cnf
Using configuration from tools/conf/openssl.cnf
engine "pkcs11" set.
unable to load CA private key
32293:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
decrypt:evp_enc.c:454:
32293:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:
error in ca

Any idea on the issue ? Is it the right way to build a ca command using an
engine?

Thanks

Philippe.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to