Re: OpenSSL - CryptoAPI - nCipher
8. Now, I want to load the certificate into the same SSL Context. At first I tried using the simple- ENGINE_load_ssl_client_cert() on the certificate file generated earlier, but that failed. I can understand why- the certificate is encrypted (self-signed). So it seems like the function that I would want to use instead is- ENGINE_load_ssl_client_certificate() But I'm not entirely sure if the same certificate is supposed to go into the context as client certificate and if I am trying to do the right thing. Can someone please point me in the right direction? Hopefully I've included all information that is relevant to my question. Forget about the ENGINE for this step. You can load the certificate into an X509 structure and pass that to the SSL_CTX. How you do that depends on the certificate format. If it is PEM format you can use PEM_read_X509. If DER the d2i_X509_fp will do the trick. Hi Steve, thanks for your reply. While it's definitely helped me take another step in the right direction, I've run into a problem when using the PEM_read_X509() function. The error string that I get from the function call is _base = 0x047329a8 6632:error:0906D06C:PEM routines:func(109):reason(108):.\crypto\pem\pem_lib.c:696:Expecting: CERTIFICATE. And when I open my foocert.PEM file in a text editor, it is not readable. Going back to how I created it: I used the command string- makecert -r -sk fooContainer -sp nCipher Enhanced Security Provider -sky exchange foocert.pem When my working code was using software key storage earlier, my .PEM looked like a readable text file of the form- -BEGIN CERTIFICATE- 9w0BA ... TKekJ== -END CERTIFICATE- ...but ofcourse that was created using an openssl x509 command since my private and public key files were available on the disk. So I guess the question now really is- How do you create a .PEM X509 self-signed certificate for a CAPI key that is stored in a container on the nCipher hardware? This might be the last hurdle for my OpenSSL integration with nCipher. Thank you, Sunjeet __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL - CryptoAPI - nCipher
On Wed, Mar 14, 2012, Sunjeet Singh wrote: 8. Now, I want to load the certificate into the same SSL Context. At first I tried using the simple- ENGINE_load_ssl_client_cert() on the certificate file generated earlier, but that failed. I can understand why- the certificate is encrypted (self-signed). So it seems like the function that I would want to use instead is- ENGINE_load_ssl_client_certificate() But I'm not entirely sure if the same certificate is supposed to go into the context as client certificate and if I am trying to do the right thing. Can someone please point me in the right direction? Hopefully I've included all information that is relevant to my question. Forget about the ENGINE for this step. You can load the certificate into an X509 structure and pass that to the SSL_CTX. How you do that depends on the certificate format. If it is PEM format you can use PEM_read_X509. If DER the d2i_X509_fp will do the trick. Hi Steve, thanks for your reply. While it's definitely helped me take another step in the right direction, I've run into a problem when using the PEM_read_X509() function. The error string that I get from the function call is _base = 0x047329a8 6632:error:0906D06C:PEM routines:func(109):reason(108):.\crypto\pem\pem_lib.c:696:Expecting: CERTIFICATE. And when I open my foocert.PEM file in a text editor, it is not readable. The it is probably DER format. Use d2i_X509_fp instead and make sure you open the fp in binary mode. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL - CryptoAPI - nCipher
The it is probably DER format. Use d2i_X509_fp instead and make sure you open the fp in binary mode. Steve. Yes, indeed. It worked! Thanks again for your quick reply. Sunjeet __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL - CryptoAPI - nCipher
On Tue, Mar 13, 2012, Sunjeet Singh wrote: 8. Now, I want to load the certificate into the same SSL Context. At first I tried using the simple- ENGINE_load_ssl_client_cert() on the certificate file generated earlier, but that failed. I can understand why- the certificate is encrypted (self-signed). So it seems like the function that I would want to use instead is- ENGINE_load_ssl_client_certificate() But I'm not entirely sure if the same certificate is supposed to go into the context as client certificate and if I am trying to do the right thing. Can someone please point me in the right direction? Hopefully I've included all information that is relevant to my question. Forget about the ENGINE for this step. You can load the certificate into an X509 structure and pass that to the SSL_CTX. How you do that depends on the certificate format. If it is PEM format you can use PEM_read_X509. If DER the d2i_X509_fp will do the trick. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org