Hi,
according to the curl manpage, it is possible to compile against OpenSSL
and use the PKCS11 interface to create such signatures:
If curl is built against OpenSSL library, and the engine
pkcs11 is available, then a PKCS#11 URI (RFC 7512) can be
used to specify a certificate located in a PKCS#11 device.
A string beginning with "pkcs11:" will be interpreted as a
PKCS#11 URI. If a PKCS#11 URI is provided, then the
--engine option will be set as "pkcs11" if none was pro‐
vided and the --cert-type option will be set as "ENG" if
none was provided.
I have never tried this myself so I have no idea if this works.....
In the context of OpenXPKI the likely better approch would be to use the
new feature of signed JSON request with the RPC Wrapper or use a "PKCS7
wrapped CSR" (only available with the enterprise workflows) which you
can do both with OpenSSL directly.
Oli
On 18.09.23 10:44, Wadepohl, Wolfram wrote:
In the documentation is an example for authenticated certificate request over
cURL with --key and --cert options. AFAIK is the --key argument the private key
in decrypted text.
What if the privat kes is stored in a secure element like nitrokes/yubikey or
IoT safe SIM?
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
