Hi i have the following environement: - openssl 9.8.a - openct/opensc/pkcs11_engine - etoken USB Pro 64 - Fedora Core 5
My Target is to setup a small PKI using openssl ca and to use the etoken to host the root private key. So i have initialize the token: $ opensc-tool --list-reader Readers known about: Nr. Driver Name 0 openct Aladdin eToken PRO 64k 1 openct OpenCT reader (detached) 2 openct OpenCT reader (detached) 3 openct OpenCT reader (detached) 4 openct OpenCT reader (detached) $ pkcs15-init --create-pkcs15 $ pkcs15-init --store-pin --auth-id 01 --label "xxx" $ pkcs15-init --store-private-key key.pem --id 45 --auth-id 01 $ pkcs15-tool --list-keys -auth-id 01 Private RSA Key [Private Key] Com. Flags : 3 Usage : [0x4], sign Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 16 Native : yes Path : 3f005015 Auth ID : 01 ID : 45 I have build a CSR using the req command of openssl Then i try to sign this CSR using the private key inside the otken $ openssl OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL> ca -engine pkcs11 -key id_45 -in req.pem -out cert.pem -config tools/conf/openssl.cnf Using configuration from tools/conf/openssl.cnf engine "pkcs11" set. unable to load CA private key 32293:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:454: 32293:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425: error in ca Any idea on the issue ? Is it the right way to build a ca command using an engine? Thanks Philippe. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]