Re: Openssl default_ca values while using HSM - LunaCA3
On Friday 14. December 2012 17:08:02 you wrote: Hi Patrick , I actually don't want to use the file that is generated from sautil. For security reasons - i delete the private key from disk and rely on the one stored inside the HSM partition. I've been directed to use the following syntax for private key generation The keyfile that sautil creates does not contain the private key itself or any other sensitive information. It is formated like a RSA private key, but the only information it contains are posinters to the location of the key on the HSM (stored in the exponent, if I remember correctly). Using this file as the valu to the keyfile option, like Stepehn pointed out, does indeed work. cheers Mat __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
Thanks Mat - that info really helps. I validated your input and queried the private key file - which indeed pointed to handles on the HSM. For further validation - i tried to sign using the sautil output key file on another box w/o hsm and it failed. - Simon Charles - From: argemat1...@gmail.com To: openssl-users@openssl.org Subject: Re: Openssl default_ca values while using HSM - LunaCA3 Date: Mon, 17 Dec 2012 09:45:58 +0100 On Friday 14. December 2012 17:08:02 you wrote: Hi Patrick , I actually don't want to use the file that is generated from sautil. For security reasons - i delete the private key from disk and rely on the one stored inside the HSM partition. I've been directed to use the following syntax for private key generation The keyfile that sautil creates does not contain the private key itself or any other sensitive information. It is formated like a RSA private key, but the only information it contains are posinters to the location of the key on the HSM (stored in the exponent, if I remember correctly). Using this file as the valu to the keyfile option, like Stepehn pointed out, does indeed work. cheers Mat __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
From: owner-openssl-us...@openssl.org On Behalf Of Dr. Stephen Henson Sent: Saturday, 15 December, 2012 12:48 On Fri, Dec 14, 2012, simon charles wrote: Which works but when using openssl ca routine - it is not able to find / load the keys I can't see why ca shouldn't work. I'd suggest trying a newer version of OpenSSL downloaded from the website in case it's some weird local version with a bug. One thought: is OP using the same keypair for req -new (EE) and ca (CA)? If so, that's rather odd practice; if you just want a selfsigned cert for a keypair, req -new -x509 is nearly as good and simpler. If not, there could be some problem on the CA keypair specifically. If rsa -check -engine works as it appears, that could narrow down the problem area. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl default_ca values while using HSM - LunaCA3
On Fri, Dec 14, 2012, simon charles wrote: Which works but when using openssl ca routine - it is not able to find / load the keys I can't see why ca shouldn't work. I'd suggest trying a newer version of OpenSSL downloaded from the website in case it's some weird local version with a bug. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
Hi Patrick , I actually don't want to use the file that is generated from sautil. For security reasons - i delete the private key from disk and rely on the one stored inside the HSM partition. I've been directed to use the following syntax for private key generation # sautil -l my-rsa-private-label g 2048 # openssl req -engine LunaCA3 -new -nodes -key my-rsa-private-label -keyform ENGINE -out tmpkey.req -days 30 Which works but when using openssl ca routine - it is not able to find / load the keys - Simon Charles - Subject: Re: Openssl default_ca values while using HSM - LunaCA3 From: ppatter...@carillon.ca Date: Thu, 13 Dec 2012 20:33:36 -0500 To: charlessi...@hotmail.com Hi Simon, Let me check with our Safenet Gurus here tomorrow... I think that the right thing to do though is use the file that sautil generated (or generate a new one with sautil), and then feed that to OpenSSL... we use that extensively here, and it works like a charm. Feel free to contact me privately. Best Regards, Patrick. On 2012-12-13, at 7:50 PM, simon charles wrote: Hi Patrick , I did create the private key using sautil and tagged a label while creating it ( root-ca ). I am working with my Safenet representative but the documentation is lacking when it comes to integration with openssl command line. I figured - ask the openssl experts here. Any help would be much appreciated. Thanks. - Simon Charles - Subject: Re: Openssl default_ca values while using HSM - LunaCA3 From: ppatter...@carillon.ca Date: Thu, 13 Dec 2012 13:54:11 -0500 To: openssl-users@openssl.org; charlessi...@hotmail.com Hello Simon, The correct way is to have a key pointer file that you can use 'sautil' to create. Your SafeNet representative should be able to point you in the right direction. Best Regards, Patrick. On 2012-12-13, at 1:40 PM, simon charles wrote: Dr. Stephen , Thank you for your reply - here is the output of your recommended command line /usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3 -keyfile root-ca -keyform ENGINE -in test-svr-010req.pem -out test-svr-010.pem -batch Using configuration from CA.cnf engine LunaCA3 set. unable to load certificate 3086288524:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('root-ca','r') * 3086288524:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172: 3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696: * Looks like it is trying to read the key from disk on not from the HSM. Thanks. - Simon Charles - Date: Thu, 13 Dec 2012 15:48:09 +0100 From: st...@openssl.org To: openssl-users@openssl.org Subject: Re: Openssl default_ca values while using HSM - LunaCA3 On Wed, Dec 12, 2012, simon charles wrote: Sorry for the duplicate post - was not signed up with the forum and might have missed a response to my question . Please resend your answers if you have already replied to my query. All , What would the default_ca section look like while using LunaCA3 HSM for storing CA private key. Openssl looks for certificate and private_key on disk - how do i make openssl ca routine aware of private keys on the HSM ( LunaCA3 ) Thanks. Currently you cannot set the ENGINE parameters in the configuration file. You can however set them on the command line with: openssl ca -engine engine name -keyform e -keyfile name -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca
Re: Openssl default_ca values while using HSM - LunaCA3
On Wed, Dec 12, 2012, simon charles wrote: Sorry for the duplicate post - was not signed up with the forum and might have missed a response to my question . Please resend your answers if you have already replied to my query. All , What would the default_ca section look like while using LunaCA3 HSM for storing CA private key. Openssl looks for certificate and private_key on disk - how do i make openssl ca routine aware of private keys on the HSM ( LunaCA3 ) Thanks. Currently you cannot set the ENGINE parameters in the configuration file. You can however set them on the command line with: openssl ca -engine engine name -keyform e -keyfile name -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
Dr. Stephen , Thank you for your reply - here is the output of your recommended command line /usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3 -keyfile root-ca -keyform ENGINE -in test-svr-010req.pem -out test-svr-010.pem -batch Using configuration from CA.cnf engine LunaCA3 set. unable to load certificate 3086288524:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('root-ca','r') * 3086288524:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172: 3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696: * Looks like it is trying to read the key from disk on not from the HSM. Thanks. - Simon Charles - Date: Thu, 13 Dec 2012 15:48:09 +0100 From: st...@openssl.org To: openssl-users@openssl.org Subject: Re: Openssl default_ca values while using HSM - LunaCA3 On Wed, Dec 12, 2012, simon charles wrote: Sorry for the duplicate post - was not signed up with the forum and might have missed a response to my question . Please resend your answers if you have already replied to my query. All , What would the default_ca section look like while using LunaCA3 HSM for storing CA private key. Openssl looks for certificate and private_key on disk - how do i make openssl ca routine aware of private keys on the HSM ( LunaCA3 ) Thanks. Currently you cannot set the ENGINE parameters in the configuration file. You can however set them on the command line with: openssl ca -engine engine name -keyform e -keyfile name -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl default_ca values while using HSM - LunaCA3
On Thu, Dec 13, 2012, simon charles wrote: Dr. Stephen , Thank you for your reply - here is the output of your recommended command line /usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3 -keyfile root-ca -keyform ENGINE -in test-svr-010req.pem -out test-svr-010.pem -batch Using configuration from CA.cnf engine LunaCA3 set. unable to load certificate 3086288524:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('root-ca','r') * 3086288524:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172: 3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696: * Looks like it is trying to read the key from disk on not from the HSM. Weird. What version of OpenSSL is that? I checked the source and it *should* be passing the key format parameter to the load_key function. Can you check under a debugger? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
/usr/local/openssl/ssl/bin/openssl version OpenSSL 1.0.0e 6 Sep 2011 - Simon Charles - Date: Thu, 13 Dec 2012 19:53:40 +0100 From: st...@openssl.org To: openssl-users@openssl.org Subject: Re: Openssl default_ca values while using HSM - LunaCA3 On Thu, Dec 13, 2012, simon charles wrote: Dr. Stephen , Thank you for your reply - here is the output of your recommended command line /usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3 -keyfile root-ca -keyform ENGINE -in test-svr-010req.pem -out test-svr-010.pem -batch Using configuration from CA.cnf engine LunaCA3 set. unable to load certificate 3086288524:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('root-ca','r') * 3086288524:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172: 3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696: * Looks like it is trying to read the key from disk on not from the HSM. Weird. What version of OpenSSL is that? I checked the source and it *should* be passing the key format parameter to the load_key function. Can you check under a debugger? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl default_ca values while using HSM - LunaCA3
Hello Simon, The correct way is to have a key pointer file that you can use 'sautil' to create. Your SafeNet representative should be able to point you in the right direction. Best Regards, Patrick. On 2012-12-13, at 1:40 PM, simon charles wrote: Dr. Stephen , Thank you for your reply - here is the output of your recommended command line /usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3 -keyfile root-ca -keyform ENGINE -in test-svr-010req.pem -out test-svr-010.pem -batch Using configuration from CA.cnf engine LunaCA3 set. unable to load certificate 3086288524:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('root-ca','r') * 3086288524:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172: 3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696: * Looks like it is trying to read the key from disk on not from the HSM. Thanks. - Simon Charles - Date: Thu, 13 Dec 2012 15:48:09 +0100 From: st...@openssl.org To: openssl-users@openssl.org Subject: Re: Openssl default_ca values while using HSM - LunaCA3 On Wed, Dec 12, 2012, simon charles wrote: Sorry for the duplicate post - was not signed up with the forum and might have missed a response to my question . Please resend your answers if you have already replied to my query. All , What would the default_ca section look like while using LunaCA3 HSM for storing CA private key. Openssl looks for certificate and private_key on disk - how do i make openssl ca routine aware of private keys on the HSM ( LunaCA3 ) Thanks. Currently you cannot set the ENGINE parameters in the configuration file. You can however set them on the command line with: openssl ca -engine engine name -keyform e -keyfile name -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl default_ca values while using HSM - LunaCA3
Hi Patrick , I did create the private key using sautil and tagged a label while creating it ( root-ca ). I am working with my Safenet representative but the documentation is lacking when it comes to integration with openssl command line. I figured - ask the openssl experts here. Any help would be much appreciated. Thanks. - Simon Charles - Subject: Re: Openssl default_ca values while using HSM - LunaCA3 From: ppatter...@carillon.ca Date: Thu, 13 Dec 2012 13:54:11 -0500 To: openssl-users@openssl.org; charlessi...@hotmail.com Hello Simon, The correct way is to have a key pointer file that you can use 'sautil' to create. Your SafeNet representative should be able to point you in the right direction. Best Regards, Patrick. On 2012-12-13, at 1:40 PM, simon charles wrote: Dr. Stephen , Thank you for your reply - here is the output of your recommended command line /usr/local/openssl/ssl/bin/openssl ca -config CA.cnf -engine LunaCA3 -keyfile root-ca -keyform ENGINE -in test-svr-010req.pem -out test-svr-010.pem -batch Using configuration from CA.cnf engine LunaCA3 set. unable to load certificate 3086288524:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('root-ca','r') * 3086288524:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172: 3086288524:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696: * Looks like it is trying to read the key from disk on not from the HSM. Thanks. - Simon Charles - Date: Thu, 13 Dec 2012 15:48:09 +0100 From: st...@openssl.org To: openssl-users@openssl.org Subject: Re: Openssl default_ca values while using HSM - LunaCA3 On Wed, Dec 12, 2012, simon charles wrote: Sorry for the duplicate post - was not signed up with the forum and might have missed a response to my question . Please resend your answers if you have already replied to my query. All , What would the default_ca section look like while using LunaCA3 HSM for storing CA private key. Openssl looks for certificate and private_key on disk - how do i make openssl ca routine aware of private keys on the HSM ( LunaCA3 ) Thanks. Currently you cannot set the ENGINE parameters in the configuration file. You can however set them on the command line with: openssl ca -engine engine name -keyform e -keyfile name -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org