Thanks Mat - that info really helps. I validated your input and queried the private key file - which indeed pointed to handles on the HSM. For further validation - i tried to sign using the sautil output key file on another box w/o hsm and it failed.
- Simon Charles - > From: argemat1...@gmail.com > To: openssl-users@openssl.org > Subject: Re: Openssl default_ca values while using HSM - LunaCA3 > Date: Mon, 17 Dec 2012 09:45:58 +0100 > > On Friday 14. December 2012 17:08:02 you wrote: > > Hi Patrick , > > > > > > I actually don't want to use the file that is generated from > > sautil. For security reasons - i delete the private key from disk and > > rely on the one stored inside the HSM partition. I've been directed to > > use the following syntax for private key generation > > > > > > The keyfile that sautil creates does not contain the private key itself or > any > other sensitive information. It is formated like a RSA private key, but the > only information it contains are posinters to the location of the key on the > HSM (stored in the exponent, if I remember correctly). Using this file as the > valu to the keyfile option, like Stepehn pointed out, does indeed work. > > cheers > Mat > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org