Hi Sander, Thank you for your elaborate response. It has helped me a great deal.
A follow-up question- > fookey > fookey_certreq > fookey_selfcert > > The first one looks a lot like a private key, but it is a dummy key. This is > the key file you pass to the OpenSSL library. It looks so much like a > private key, that the library will just use it. However, when you use it > with the CHIL engine registered, and the Hardware Crypto Hook library loaded, > the Hardware Crypto Hook library will find embedded (hence 'embed') in the > private exponent value for that dummy key a pointer to the real key, > protected by the nCipher Security World and saved under the Key Management > Data folder. I try loading the private key 'fookey' using - ENGINE_load_private_key( e, "fookey", NULL, NULL ); but it fails. This key was generated like you said, to be of application type "embed". However, if I try to load a key of type "hwcrhk", it succeeds with no changes to the rest of the code. (Still using CHIL engine, and as a pre-command to the engine I've set SO_PATH to be the location of the hwcrhk dll). The other part- SSL_CTX_use_certificate_chain_file( sslCtx, PATH_TO_fookey_selfcert ); seems to be working as the function returns a value of 1. >> 2. My private key is ultimately protected by a smart-card pass-phrase. At >> which step is the pass phrase supplied and how by an application that is >> making use of the OpenSSL (CHIL) engine API? > > OpenSSL, CHIL and the Hardware Crypto Hook library lack the capability to > prompt for smart cards and passphrases. You need to start your OpenSSL > program out of the nCipher preload utility. Run preload --help to find out > which options are available. So I'm using module-protected keys for now. But later on once I want to use card-protected keys, I'll look into the pre-commands or post-commands for specifying the passphrase to the engine. > Note that you can contact Thales technical support as part of your support > contract. They also sell Developer Support to help you with your code. I tried, but this seems to be faster and more effective :) Thanks again, Sunjeet
