Re: Openssl default_ca values while using HSM - LunaCA3
On Friday 14. December 2012 17:08:02 you wrote: Hi Patrick , I actually don't want to use the file that is generated from sautil. For security reasons - i delete the private key from disk and rely on the one stored inside the HSM partition. I've been directed to use the following syntax for private key generation The keyfile that sautil creates does not contain the private key itself or any other sensitive information. It is formated like a RSA private key, but the only information it contains are posinters to the location of the key on the HSM (stored in the exponent, if I remember correctly). Using this file as the valu to the keyfile option, like Stepehn pointed out, does indeed work. cheers Mat __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
Thanks Mat - that info really helps. I validated your input and queried the private key file - which indeed pointed to handles on the HSM. For further validation - i tried to sign using the sautil output key file on another box w/o hsm and it failed. - Simon Charles - From: argemat1...@gmail.com To: openssl-users@openssl.org Subject: Re: Openssl default_ca values while using HSM - LunaCA3 Date: Mon, 17 Dec 2012 09:45:58 +0100 On Friday 14. December 2012 17:08:02 you wrote: Hi Patrick , I actually don't want to use the file that is generated from sautil. For security reasons - i delete the private key from disk and rely on the one stored inside the HSM partition. I've been directed to use the following syntax for private key generation The keyfile that sautil creates does not contain the private key itself or any other sensitive information. It is formated like a RSA private key, but the only information it contains are posinters to the location of the key on the HSM (stored in the exponent, if I remember correctly). Using this file as the valu to the keyfile option, like Stepehn pointed out, does indeed work. cheers Mat __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
From: owner-openssl-us...@openssl.org On Behalf Of Dr. Stephen Henson Sent: Saturday, 15 December, 2012 12:48 On Fri, Dec 14, 2012, simon charles wrote: Which works but when using openssl ca routine - it is not able to find / load the keys I can't see why ca shouldn't work. I'd suggest trying a newer version of OpenSSL downloaded from the website in case it's some weird local version with a bug. One thought: is OP using the same keypair for req -new (EE) and ca (CA)? If so, that's rather odd practice; if you just want a selfsigned cert for a keypair, req -new -x509 is nearly as good and simpler. If not, there could be some problem on the CA keypair specifically. If rsa -check -engine works as it appears, that could narrow down the problem area. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl default_ca values while using HSM - LunaCA3
On Fri, Dec 14, 2012, simon charles wrote: Which works but when using openssl ca routine - it is not able to find / load the keys I can't see why ca shouldn't work. I'd suggest trying a newer version of OpenSSL downloaded from the website in case it's some weird local version with a bug. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
Hi Patrick ,
I actually don't want to use the file that is generated from
sautil. For security reasons - i delete the private key from disk and
rely on the one stored inside the HSM partition. I've been directed to
use the following syntax for private key generation
# sautil -l my-rsa-private-label g 2048
# openssl req -engine LunaCA3 -new -nodes -key my-rsa-private-label
-keyform ENGINE -out tmpkey.req -days 30
Which works but when using openssl ca routine - it is not able to find / load
the keys
- Simon Charles -
Subject: Re: Openssl default_ca values while using HSM - LunaCA3
From: ppatter...@carillon.ca
Date: Thu, 13 Dec 2012 20:33:36 -0500
To: charlessi...@hotmail.com
Hi Simon,
Let me check with our Safenet Gurus here tomorrow... I think that the right
thing to do though is use the file that sautil generated (or generate a new
one with sautil), and then feed that to OpenSSL... we use that extensively
here, and it works like a charm.
Feel free to contact me privately.
Best Regards,
Patrick.
On 2012-12-13, at 7:50 PM, simon charles wrote:
Hi Patrick ,
I did create the private key using sautil and tagged a label while
creating it ( root-ca ). I am working with my Safenet representative but
the documentation is lacking when it comes to integration with openssl
command line. I figured - ask the openssl experts here. Any help would be
much appreciated.
Thanks.
- Simon Charles -
Subject: Re: Openssl default_ca values while using HSM - LunaCA3
From: ppatter...@carillon.ca
Date: Thu, 13 Dec 2012 13:54:11 -0500
To: openssl-users@openssl.org; charlessi...@hotmail.com
Hello Simon,
The correct way is to have a key pointer file that you can use 'sautil'
to create. Your SafeNet representative should be able to point you in the
right direction.
Best Regards,
Patrick.
On 2012-12-13, at 1:40 PM, simon charles wrote:
Dr. Stephen ,
Thank you for your reply - here is the output of your recommended
command line
/usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3
-keyfile root-ca -keyform ENGINE -in test-svr-010req.pem -out
test-svr-010.pem -batch
Using configuration from CA.cnf
engine LunaCA3 set.
unable to load certificate
3086288524:error:02001002:system library:fopen:No such file or
directory:bss_file.c:169:fopen('root-ca','r') *
3086288524:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:172:
3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:696:
* Looks like it is trying to read the key from disk on not from the HSM.
Thanks.
- Simon Charles -
Date: Thu, 13 Dec 2012 15:48:09 +0100
From: st...@openssl.org
To: openssl-users@openssl.org
Subject: Re: Openssl default_ca values while using HSM - LunaCA3
On Wed, Dec 12, 2012, simon charles wrote:
Sorry for the duplicate post - was not signed up with the forum and
might have missed a response to my question . Please resend your
answers if you have already replied to my query.
All ,
What would the default_ca section look like while using
LunaCA3 HSM for storing CA private key. Openssl looks for certificate
and private_key on disk - how do i make openssl ca routine aware of
private keys on the HSM ( LunaCA3 )
Thanks.
Currently you cannot set the ENGINE parameters in the configuration
file. You
can however set them on the command line with:
openssl ca -engine engine name -keyform e -keyfile name
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1 450 424 9559
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
Re: Openssl default_ca values while using HSM - LunaCA3
On Wed, Dec 12, 2012, simon charles wrote: Sorry for the duplicate post - was not signed up with the forum and might have missed a response to my question . Please resend your answers if you have already replied to my query. All , What would the default_ca section look like while using LunaCA3 HSM for storing CA private key. Openssl looks for certificate and private_key on disk - how do i make openssl ca routine aware of private keys on the HSM ( LunaCA3 ) Thanks. Currently you cannot set the ENGINE parameters in the configuration file. You can however set them on the command line with: openssl ca -engine engine name -keyform e -keyfile name -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
Dr. Stephen ,
Thank you for your reply - here is the output of your recommended command
line
/usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3 -keyfile
root-ca -keyform ENGINE -in test-svr-010req.pem -out test-svr-010.pem -batch
Using configuration from CA.cnf
engine LunaCA3 set.
unable to load certificate
3086288524:error:02001002:system library:fopen:No such file or
directory:bss_file.c:169:fopen('root-ca','r') *
3086288524:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:
* Looks like it is trying to read the key from disk on not from the HSM.
Thanks.
- Simon Charles -
Date: Thu, 13 Dec 2012 15:48:09 +0100
From: st...@openssl.org
To: openssl-users@openssl.org
Subject: Re: Openssl default_ca values while using HSM - LunaCA3
On Wed, Dec 12, 2012, simon charles wrote:
Sorry for the duplicate post - was not signed up with the forum and might
have missed a response to my question . Please resend your answers if you
have already replied to my query.
All ,
What would the default_ca section look like while using
LunaCA3 HSM for storing CA private key. Openssl looks for certificate
and private_key on disk - how do i make openssl ca routine aware of
private keys on the HSM ( LunaCA3 )
Thanks.
Currently you cannot set the ENGINE parameters in the configuration file. You
can however set them on the command line with:
openssl ca -engine engine name -keyform e -keyfile name
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Openssl default_ca values while using HSM - LunaCA3
On Thu, Dec 13, 2012, simon charles wrote:
Dr. Stephen ,
Thank you for your reply - here is the output of your recommended
command line
/usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3
-keyfile root-ca -keyform ENGINE -in test-svr-010req.pem -out
test-svr-010.pem -batch
Using configuration from CA.cnf
engine LunaCA3 set.
unable to load certificate
3086288524:error:02001002:system library:fopen:No such file or
directory:bss_file.c:169:fopen('root-ca','r') *
3086288524:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:172:
3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:696:
* Looks like it is trying to read the key from disk on not from the HSM.
Weird. What version of OpenSSL is that?
I checked the source and it *should* be passing the key format parameter to
the load_key function. Can you check under a debugger?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
/usr/local/openssl/ssl/bin/openssl version
OpenSSL 1.0.0e 6 Sep 2011
- Simon Charles -
Date: Thu, 13 Dec 2012 19:53:40 +0100
From: st...@openssl.org
To: openssl-users@openssl.org
Subject: Re: Openssl default_ca values while using HSM - LunaCA3
On Thu, Dec 13, 2012, simon charles wrote:
Dr. Stephen ,
Thank you for your reply - here is the output of your recommended
command line
/usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3
-keyfile root-ca -keyform ENGINE -in test-svr-010req.pem -out
test-svr-010.pem -batch
Using configuration from CA.cnf
engine LunaCA3 set.
unable to load certificate
3086288524:error:02001002:system library:fopen:No such file or
directory:bss_file.c:169:fopen('root-ca','r') *
3086288524:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:172:
3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:696:
* Looks like it is trying to read the key from disk on not from the HSM.
Weird. What version of OpenSSL is that?
I checked the source and it *should* be passing the key format parameter to
the load_key function. Can you check under a debugger?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Openssl default_ca values while using HSM - LunaCA3
Hello Simon,
The correct way is to have a key pointer file that you can use 'sautil' to
create. Your SafeNet representative should be able to point you in the right
direction.
Best Regards,
Patrick.
On 2012-12-13, at 1:40 PM, simon charles wrote:
Dr. Stephen ,
Thank you for your reply - here is the output of your recommended command
line
/usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3
-keyfile root-ca -keyform ENGINE -in test-svr-010req.pem -out
test-svr-010.pem -batch
Using configuration from CA.cnf
engine LunaCA3 set.
unable to load certificate
3086288524:error:02001002:system library:fopen:No such file or
directory:bss_file.c:169:fopen('root-ca','r') *
3086288524:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:172:
3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:696:
* Looks like it is trying to read the key from disk on not from the HSM.
Thanks.
- Simon Charles -
Date: Thu, 13 Dec 2012 15:48:09 +0100
From: st...@openssl.org
To: openssl-users@openssl.org
Subject: Re: Openssl default_ca values while using HSM - LunaCA3
On Wed, Dec 12, 2012, simon charles wrote:
Sorry for the duplicate post - was not signed up with the forum and might
have missed a response to my question . Please resend your answers if you
have already replied to my query.
All ,
What would the default_ca section look like while using
LunaCA3 HSM for storing CA private key. Openssl looks for certificate
and private_key on disk - how do i make openssl ca routine aware of
private keys on the HSM ( LunaCA3 )
Thanks.
Currently you cannot set the ENGINE parameters in the configuration file. You
can however set them on the command line with:
openssl ca -engine engine name -keyform e -keyfile name
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1 450 424 9559
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
Hi Patrick ,
I did create the private key using sautil and tagged a label while creating
it ( root-ca ). I am working with my Safenet representative but the
documentation is lacking when it comes to integration with openssl command
line. I figured - ask the openssl experts here. Any help would be much
appreciated.
Thanks.
- Simon Charles -
Subject: Re: Openssl default_ca values while using HSM - LunaCA3
From: ppatter...@carillon.ca
Date: Thu, 13 Dec 2012 13:54:11 -0500
To: openssl-users@openssl.org; charlessi...@hotmail.com
Hello Simon,
The correct way is to have a key pointer file that you can use 'sautil' to
create. Your SafeNet representative should be able to point you in the right
direction.
Best Regards,
Patrick.
On 2012-12-13, at 1:40 PM, simon charles wrote:
Dr. Stephen ,
Thank you for your reply - here is the output of your recommended
command line
/usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3
-keyfile root-ca -keyform ENGINE -in test-svr-010req.pem -out
test-svr-010.pem -batch
Using configuration from CA.cnf
engine LunaCA3 set.
unable to load certificate
3086288524:error:02001002:system library:fopen:No such file or
directory:bss_file.c:169:fopen('root-ca','r') *
3086288524:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:172:
3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:696:
* Looks like it is trying to read the key from disk on not from the HSM.
Thanks.
- Simon Charles -
Date: Thu, 13 Dec 2012 15:48:09 +0100
From: st...@openssl.org
To: openssl-users@openssl.org
Subject: Re: Openssl default_ca values while using HSM - LunaCA3
On Wed, Dec 12, 2012, simon charles wrote:
Sorry for the duplicate post - was not signed up with the forum and might
have missed a response to my question . Please resend your answers if you
have already replied to my query.
All ,
What would the default_ca section look like while using
LunaCA3 HSM for storing CA private key. Openssl looks for certificate
and private_key on disk - how do i make openssl ca routine aware of
private keys on the HSM ( LunaCA3 )
Thanks.
Currently you cannot set the ENGINE parameters in the configuration file.
You
can however set them on the command line with:
openssl ca -engine engine name -keyform e -keyfile name
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1 450 424 9559
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
