Hi Patrick ,
I actually don't want to use the file that is generated from
sautil. For security reasons - i delete the private key from disk and
rely on the one stored inside the HSM partition. I've been directed to
use the following syntax for private key generation
# sautil -l "my-rsa-private-label" g 2048
# openssl req -engine LunaCA3 -new -nodes -key "my-rsa-private-label"
-keyform ENGINE -out tmpkey.req -days 30
Which works but when using openssl ca routine - it is not able to find / load
the keys
- Simon Charles -
> Subject: Re: Openssl default_ca values while using HSM - LunaCA3
> From: [email protected]
> Date: Thu, 13 Dec 2012 20:33:36 -0500
> To: [email protected]
>
> Hi Simon,
>
> Let me check with our Safenet Gurus here tomorrow... I think that the right
> thing to do though is use the file that sautil generated (or generate a new
> one with sautil), and then feed that to OpenSSL... we use that extensively
> here, and it works like a charm.
>
> Feel free to contact me privately.
>
> Best Regards,
>
> Patrick.
>
> On 2012-12-13, at 7:50 PM, simon charles wrote:
>
> >
> > Hi Patrick ,
> > I did create the private key using sautil and tagged a label while
> > creating it ( "root-ca" ). I am working with my Safenet representative but
> > the documentation is lacking when it comes to integration with openssl
> > command line. I figured - ask the openssl experts here. Any help would be
> > much appreciated.
> > Thanks.
> >
> > - Simon Charles -
> >
> >
> >> Subject: Re: Openssl default_ca values while using HSM - LunaCA3
> >> From: [email protected]
> >> Date: Thu, 13 Dec 2012 13:54:11 -0500
> >> To: [email protected]; [email protected]
> >>
> >> Hello Simon,
> >>
> >> The correct way is to have a "key pointer" file that you can use 'sautil'
> >> to create. Your SafeNet representative should be able to point you in the
> >> right direction.
> >>
> >> Best Regards,
> >>
> >> Patrick.
> >> On 2012-12-13, at 1:40 PM, simon charles wrote:
> >>
> >>>
> >>> Dr. Stephen ,
> >>> Thank you for your reply - here is the output of your recommended
> >>> command line
> >>>
> >>> /usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3
> >>> -keyfile "root-ca" -keyform ENGINE -in test-svr-010req.pem -out
> >>> test-svr-010.pem -batch
> >>> Using configuration from CA.cnf
> >>> engine "LunaCA3" set.
> >>> unable to load certificate
> >>> 3086288524:error:02001002:system library:fopen:No such file or
> >>> directory:bss_file.c:169:fopen('root-ca','r') *
> >>> 3086288524:error:2006D080:BIO routines:BIO_new_file:no such
> >>> file:bss_file.c:172:
> >>> 3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start
> >>> line:pem_lib.c:696:
> >>>
> >>> * Looks like it is trying to read the key from disk on not from the HSM.
> >>>
> >>> Thanks.
> >>>
> >>> - Simon Charles -
> >>>
> >>>
> >>>> Date: Thu, 13 Dec 2012 15:48:09 +0100
> >>>> From: [email protected]
> >>>> To: [email protected]
> >>>> Subject: Re: Openssl default_ca values while using HSM - LunaCA3
> >>>>
> >>>> On Wed, Dec 12, 2012, simon charles wrote:
> >>>>
> >>>>> Sorry for the duplicate post - was not signed up with the forum and
> >>>>> might have missed a response to my question . Please resend your
> >>>>> answers if you have already replied to my query.
> >>>>>
> >>>>>
> >>>>> All ,
> >>>>> What would the default_ca section look like while using
> >>>>> LunaCA3 HSM for storing CA private key. Openssl looks for certificate
> >>>>> and private_key on disk - how do i make openssl ca routine aware of
> >>>>> private keys on the HSM ( LunaCA3 )
> >>>>> Thanks.
> >>>>>
> >>>>
> >>>> Currently you cannot set the ENGINE parameters in the configuration
> >>>> file. You
> >>>> can however set them on the command line with:
> >>>>
> >>>> openssl ca -engine <engine name> -keyform e -keyfile <name>
> >>>>
> >>>>
> >>>> --
> >>>> Dr Stephen N. Henson. OpenSSL project core developer.
> >>>> Commercial tech support now available see: http://www.openssl.org
> >>>> ______________________________________________________________________
> >>>> OpenSSL Project http://www.openssl.org
> >>>> User Support Mailing List [email protected]
> >>>> Automated List Manager [email protected]
> >>>
> >>
> >> ---
> >> Patrick Patterson
> >> President and Chief PKI Architect
> >> Carillon Information Security Inc.
> >> http://www.carillon.ca
> >>
> >> tel: +1 514 485 0789
> >> mobile: +1 514 994 8699
> >> fax: +1 450 424 9559
> >>
> >>
> >>
> >>
> >>
> >> ______________________________________________________________________
> >> OpenSSL Project http://www.openssl.org
> >> User Support Mailing List [email protected]
> >> Automated List Manager [email protected]
> >
>
> ---
> Patrick Patterson
> Chief PKI Architect
> Carillon Information Security Inc.
> http://www.carillon.ca
>
>
>
>
>
