> From: openssl-users [mailto:[email protected]] On Behalf > Of Blumenthal, Uri - 0553 - MITLL > Sent: Friday, July 07, 2017 10:03 > To: [email protected] > Subject: Re: [openssl-users] OpenSSL Engine for TPM > > And in most cases (except those involving TPM-based platform attestation, > which I don’t think has anything to do with OpenSSL use cases), a separate > hardware token (like a smartcard, or an HSM) would IMHO be a much better > and more usable choice. PKCS#11 engine (libp11) to access those is quite > popular and work well.
Agreed. I've had good results with OpenSC-based devices such as the NitroKey HSM using the OpenSSL PKCS#11 engine. Requires installing the various prereqs and a bit of setup and experimentation, but it all works. On Windows, the CAPI engine can also generally be used to drive HSMs, if they don't have a suitable PKCS#11 driver. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
