RE: Openssl default_ca values while using HSM - LunaCA3

Fri, 14 Dec 2012 14:09:18 -0800 

Hi Patrick , 


         I actually don't want to use the file that is generated from 
sautil. For security reasons - i delete the private key from disk and 
rely on the one stored inside the HSM partition. I've been directed to 
use the following syntax for private key generation





# sautil -l "my-rsa-private-label" g 2048





    # openssl req -engine LunaCA3 -new -nodes -key "my-rsa-private-label" 
-keyform ENGINE  -out tmpkey.req -days 30






Which works but when using openssl ca routine - it is not able to find / load 
the keys




- Simon Charles - 


> Subject: Re: Openssl default_ca values while using HSM - LunaCA3
> From: ppatter...@carillon.ca
> Date: Thu, 13 Dec 2012 20:33:36 -0500
> To: charlessi...@hotmail.com
> 
> Hi Simon,
> 
> Let me check with our Safenet Gurus here tomorrow... I think that the right 
> thing to do though is use the file that sautil generated (or generate a new 
> one with sautil), and then feed that to OpenSSL... we use that extensively 
> here, and it works like a charm.
> 
> Feel free to contact me privately.
> 
> Best Regards,
> 
> Patrick.
> 
> On 2012-12-13, at 7:50 PM, simon charles wrote:
> 
> > 
> > Hi Patrick , 
> >    I did create the private key using sautil and tagged a label while 
> > creating it ( "root-ca" ). I am working with my Safenet representative but 
> > the documentation is lacking when it comes to integration with openssl 
> > command line. I figured - ask the openssl experts here. Any help would be 
> > much appreciated.
> >    Thanks. 
> > 
> > - Simon Charles - 
> > 
> > 
> >> Subject: Re: Openssl default_ca values while using HSM - LunaCA3
> >> From: ppatter...@carillon.ca
> >> Date: Thu, 13 Dec 2012 13:54:11 -0500
> >> To: openssl-users@openssl.org; charlessi...@hotmail.com
> >> 
> >> Hello Simon,
> >> 
> >> The correct way is to have a "key pointer" file that you can use 'sautil' 
> >> to create. Your SafeNet representative should be able to point you in the 
> >> right direction.
> >> 
> >> Best Regards,
> >> 
> >> Patrick.
> >> On 2012-12-13, at 1:40 PM, simon charles wrote:
> >> 
> >>> 
> >>> Dr. Stephen , 
> >>>    Thank you for your reply - here is the output of your recommended 
> >>> command line
> >>> 
> >>> /usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3  
> >>> -keyfile "root-ca" -keyform ENGINE -in test-svr-010req.pem -out 
> >>> test-svr-010.pem -batch
> >>> Using configuration from CA.cnf
> >>> engine "LunaCA3" set.
> >>> unable to load certificate
> >>> 3086288524:error:02001002:system library:fopen:No such file or 
> >>> directory:bss_file.c:169:fopen('root-ca','r')  *
> >>> 3086288524:error:2006D080:BIO routines:BIO_new_file:no such 
> >>> file:bss_file.c:172:
> >>> 3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start 
> >>> line:pem_lib.c:696:
> >>> 
> >>> * Looks like it is trying to read the key from disk on not from the HSM.
> >>> 
> >>>    Thanks. 
> >>> 
> >>> - Simon Charles - 
> >>> 
> >>> 
> >>>> Date: Thu, 13 Dec 2012 15:48:09 +0100
> >>>> From: st...@openssl.org
> >>>> To: openssl-users@openssl.org
> >>>> Subject: Re: Openssl default_ca values while using HSM - LunaCA3
> >>>> 
> >>>> On Wed, Dec 12, 2012, simon charles wrote:
> >>>> 
> >>>>> Sorry for the duplicate post - was not signed up with the forum and 
> >>>>> might have missed a response to my question . Please resend your 
> >>>>> answers if you have already replied to my query.
> >>>>> 
> >>>>> 
> >>>>> All , 
> >>>>> What would the default_ca section look like while using 
> >>>>> LunaCA3 HSM for storing CA private key. Openssl looks for certificate 
> >>>>> and private_key on disk - how do i make openssl ca routine aware of 
> >>>>> private keys on the HSM ( LunaCA3 )
> >>>>>   Thanks. 
> >>>>> 
> >>>> 
> >>>> Currently you cannot set the ENGINE parameters in the configuration 
> >>>> file. You
> >>>> can however set them on the command line with:
> >>>> 
> >>>> openssl ca -engine <engine name> -keyform e -keyfile <name>
> >>>> 
> >>>> 
> >>>> --
> >>>> Dr Stephen N. Henson. OpenSSL project core developer.
> >>>> Commercial tech support now available see: http://www.openssl.org
> >>>> ______________________________________________________________________
> >>>> OpenSSL Project                                 http://www.openssl.org
> >>>> User Support Mailing List                    openssl-users@openssl.org
> >>>> Automated List Manager                           majord...@openssl.org
> >>>                                     
> >> 
> >> ---
> >> Patrick Patterson
> >> President and Chief PKI Architect
> >> Carillon Information Security Inc.
> >> http://www.carillon.ca
> >> 
> >> tel: +1 514 485 0789
> >> mobile: +1 514 994 8699
> >> fax: +1 450 424 9559
> >> 
> >> 
> >> 
> >> 
> >> 
> >> ______________________________________________________________________
> >> OpenSSL Project                                 http://www.openssl.org
> >> User Support Mailing List                    openssl-users@openssl.org
> >> Automated List Manager                           majord...@openssl.org
> >                                       
> 
> ---
> Patrick Patterson
> Chief PKI Architect
> Carillon Information Security Inc.
> http://www.carillon.ca
> 
> 
> 
> 
>

Reply via email to