Re: Openssl default_ca values while using HSM - LunaCA3

Thu, 13 Dec 2012 11:04:40 -0800 

Hello Simon,

The correct way is to have a "key pointer" file that you can use 'sautil' to 
create. Your SafeNet representative should be able to point you in the right 
direction.

Best Regards,

Patrick.
On 2012-12-13, at 1:40 PM, simon charles wrote:

> 
> Dr. Stephen , 
>     Thank you for your reply - here is the output of your recommended command 
> line
> 
> /usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3  
> -keyfile "root-ca" -keyform ENGINE -in test-svr-010req.pem -out 
> test-svr-010.pem -batch
> Using configuration from CA.cnf
> engine "LunaCA3" set.
> unable to load certificate
> 3086288524:error:02001002:system library:fopen:No such file or 
> directory:bss_file.c:169:fopen('root-ca','r')  *
> 3086288524:error:2006D080:BIO routines:BIO_new_file:no such 
> file:bss_file.c:172:
> 3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start 
> line:pem_lib.c:696:
> 
> * Looks like it is trying to read the key from disk on not from the HSM.
> 
>     Thanks. 
> 
> - Simon Charles - 
> 
> 
>> Date: Thu, 13 Dec 2012 15:48:09 +0100
>> From: [email protected]
>> To: [email protected]
>> Subject: Re: Openssl default_ca values while using HSM - LunaCA3
>> 
>> On Wed, Dec 12, 2012, simon charles wrote:
>> 
>>> Sorry for the duplicate post - was not signed up with the forum and might 
>>> have missed a response to my question . Please resend your answers if you 
>>> have already replied to my query.
>>> 
>>> 
>>> All , 
>>>  What would the default_ca section look like while using 
>>> LunaCA3 HSM for storing CA private key. Openssl looks for certificate 
>>> and private_key on disk - how do i make openssl ca routine aware of 
>>> private keys on the HSM ( LunaCA3 )
>>>    Thanks. 
>>> 
>> 
>> Currently you cannot set the ENGINE parameters in the configuration file. You
>> can however set them on the command line with:
>> 
>> openssl ca -engine <engine name> -keyform e -keyfile <name>
>> 
>> 
>> --
>> Dr Stephen N. Henson. OpenSSL project core developer.
>> Commercial tech support now available see: http://www.openssl.org
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    [email protected]
>> Automated List Manager                           [email protected]
>                                         

---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca

tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1 450 424 9559





______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to