You have two ways to follow. 1) To use an HSM to sign, the "official" way to do it is to use an openssl engine. If your HSM does not provide an openssl engine, it probably does provide a PKCS#11 module, and you can use the pkcs11 engine to load it and use it.
2) In some situations that is not possible (e.g. you need it to be signed on a different remote system). And I just had the same need this week, but for Certificate Requests. There are a lot of small non-documented things to do in this case but basically you need to: a) get the der encoded value of tbsCertificate field b) hash it c) apply pkcs1 padding and sign it d) put the signature on asn1 form e) add NIDs and other parameters to the cert_info field you identified. I spent a lot of time learning from forums and openssl code (X509_REQ_sign and functions it calls in my case) what I need to do. If you can, go for option 1). If nto I may help you more later with 2) On Thu, May 9, 2013 at 7:13 PM, Ken Goldman <kgold...@us.ibm.com> wrote: > I have a need to sign an X509 certificate outside openssl, using a > hardware security module. > > 1 - I have to first hash the certificate. > > I discovered X509_digest(), which is not documented. Is it the correct > function? > > I also found ASN1_item_i2d() to serialize the cert_info member, from which > point I can hash. Opinions? > > > > 2 - I have to apply the resulting signature and algorithm to the > certificate. > > I have some sample code which assigns values to the low level X509 > structure. > > E.g., > > x509->cert_info->signature_**algorithm = Obj_nid2obj(NID_** > sha1WithRSAEncryption); > > Is that the only way, or is there a higher level call to add the algorithm > ID in both places and the signature in one call? > > > > > > ______________________________**______________________________**__________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- -- Cristian Thiago Moecke