> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
> Sent: Friday, 10 May, 2013 12:20
> On Fri, May 10, 2013 at 11:26:35AM -0400, Ken Goldman wrote:
>
> > >a) get the der encoded value of tbsCertificate field
> > >b) hash it
> > >c) apply pkcs1 padding and sign it
> > >d) put th
Cristian Thiago Moecke
writes:
> You have two ways to follow.
>
> 1) To use an HSM to sign, the "official" way to do it is to use an
> openssl engine. If your HSM does not provide an openssl engine, it
> probably does provide a PKCS#11 module, and you can use the pkcs11
> engine to load it and
On Fri, May 10, 2013 at 11:26:35AM -0400, Ken Goldman wrote:
> >a) get the der encoded value of tbsCertificate field
> >b) hash it
> >c) apply pkcs1 padding and sign it
> >d) put the signature on asn1 form
> >e) add NIDs and other parameters to the cert_info field you identified.
> >I spent a lot
> 2) In some situations that is not possible (e.g. you need it to be
>> signed on a different remote system). And I just had the same need this
>> week, but for Certificate Requests. There are a lot of small
>> non-documented things to do in this case but basically you need to:
>> a) get the der e
On 5/10/2013 6:17 AM, Krzysztof Konopko wrote:
This could also be handled by some sort of engine that would work in two
modes:
* generate an intermediate result (hash) that can be processed (signed)
I'm looking for advice on how to do that.
at the remote site (how to get it there securely is
On 5/10/2013 5:37 AM, Cristian Thiago Moecke wrote:
You have two ways to follow.
1) To use an HSM to sign, the "official" way to do it is to use an
openssl engine. If your HSM does not provide an openssl engine, it
probably does provide a PKCS#11 module, and you can use the pkcs11
engine to loa
2013/5/10 Cristian Thiago Moecke
> You have two ways to follow.
>
> 2) In some situations that is not possible (e.g. you need it to be signed
> on a different remote system). And I just had the same need this week, but
> for Certificate Requests. There are a lot of small non-documented things to
You have two ways to follow.
1) To use an HSM to sign, the "official" way to do it is to use an openssl
engine. If your HSM does not provide an openssl engine, it probably does
provide a PKCS#11 module, and you can use the pkcs11 engine to load it and
use it.
2) In some situations that is not po
I have a need to sign an X509 certificate outside openssl, using a
hardware security module.
1 - I have to first hash the certificate.
I discovered X509_digest(), which is not documented. Is it the correct
function?
I also found ASN1_item_i2d() to serialize the cert_info member, from
which