Hi Patrick ,
I actually don't want to use the file that is generated from sautil. For security reasons - i delete the private key from disk and rely on the one stored inside the HSM partition. I've been directed to use the following syntax for private key generation # sautil -l "my-rsa-private-label" g 2048 # openssl req -engine LunaCA3 -new -nodes -key "my-rsa-private-label" -keyform ENGINE -out tmpkey.req -days 30 Which works but when using openssl ca routine - it is not able to find / load the keys - Simon Charles - > Subject: Re: Openssl default_ca values while using HSM - LunaCA3 > From: ppatter...@carillon.ca > Date: Thu, 13 Dec 2012 20:33:36 -0500 > To: charlessi...@hotmail.com > > Hi Simon, > > Let me check with our Safenet Gurus here tomorrow... I think that the right > thing to do though is use the file that sautil generated (or generate a new > one with sautil), and then feed that to OpenSSL... we use that extensively > here, and it works like a charm. > > Feel free to contact me privately. > > Best Regards, > > Patrick. > > On 2012-12-13, at 7:50 PM, simon charles wrote: > > > > > Hi Patrick , > > I did create the private key using sautil and tagged a label while > > creating it ( "root-ca" ). I am working with my Safenet representative but > > the documentation is lacking when it comes to integration with openssl > > command line. I figured - ask the openssl experts here. Any help would be > > much appreciated. > > Thanks. > > > > - Simon Charles - > > > > > >> Subject: Re: Openssl default_ca values while using HSM - LunaCA3 > >> From: ppatter...@carillon.ca > >> Date: Thu, 13 Dec 2012 13:54:11 -0500 > >> To: openssl-users@openssl.org; charlessi...@hotmail.com > >> > >> Hello Simon, > >> > >> The correct way is to have a "key pointer" file that you can use 'sautil' > >> to create. Your SafeNet representative should be able to point you in the > >> right direction. > >> > >> Best Regards, > >> > >> Patrick. > >> On 2012-12-13, at 1:40 PM, simon charles wrote: > >> > >>> > >>> Dr. Stephen , > >>> Thank you for your reply - here is the output of your recommended > >>> command line > >>> > >>> /usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3 > >>> -keyfile "root-ca" -keyform ENGINE -in test-svr-010req.pem -out > >>> test-svr-010.pem -batch > >>> Using configuration from CA.cnf > >>> engine "LunaCA3" set. > >>> unable to load certificate > >>> 3086288524:error:02001002:system library:fopen:No such file or > >>> directory:bss_file.c:169:fopen('root-ca','r') * > >>> 3086288524:error:2006D080:BIO routines:BIO_new_file:no such > >>> file:bss_file.c:172: > >>> 3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start > >>> line:pem_lib.c:696: > >>> > >>> * Looks like it is trying to read the key from disk on not from the HSM. > >>> > >>> Thanks. > >>> > >>> - Simon Charles - > >>> > >>> > >>>> Date: Thu, 13 Dec 2012 15:48:09 +0100 > >>>> From: st...@openssl.org > >>>> To: openssl-users@openssl.org > >>>> Subject: Re: Openssl default_ca values while using HSM - LunaCA3 > >>>> > >>>> On Wed, Dec 12, 2012, simon charles wrote: > >>>> > >>>>> Sorry for the duplicate post - was not signed up with the forum and > >>>>> might have missed a response to my question . Please resend your > >>>>> answers if you have already replied to my query. > >>>>> > >>>>> > >>>>> All , > >>>>> What would the default_ca section look like while using > >>>>> LunaCA3 HSM for storing CA private key. Openssl looks for certificate > >>>>> and private_key on disk - how do i make openssl ca routine aware of > >>>>> private keys on the HSM ( LunaCA3 ) > >>>>> Thanks. > >>>>> > >>>> > >>>> Currently you cannot set the ENGINE parameters in the configuration > >>>> file. You > >>>> can however set them on the command line with: > >>>> > >>>> openssl ca -engine <engine name> -keyform e -keyfile <name> > >>>> > >>>> > >>>> -- > >>>> Dr Stephen N. Henson. OpenSSL project core developer. > >>>> Commercial tech support now available see: http://www.openssl.org > >>>> ______________________________________________________________________ > >>>> OpenSSL Project http://www.openssl.org > >>>> User Support Mailing List openssl-users@openssl.org > >>>> Automated List Manager majord...@openssl.org > >>> > >> > >> --- > >> Patrick Patterson > >> President and Chief PKI Architect > >> Carillon Information Security Inc. > >> http://www.carillon.ca > >> > >> tel: +1 514 485 0789 > >> mobile: +1 514 994 8699 > >> fax: +1 450 424 9559 > >> > >> > >> > >> > >> > >> ______________________________________________________________________ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing List openssl-users@openssl.org > >> Automated List Manager majord...@openssl.org > > > > --- > Patrick Patterson > Chief PKI Architect > Carillon Information Security Inc. > http://www.carillon.ca > > > > >