You have two ways to follow.
1) To use an HSM to sign, the official way to do it is to use an openssl
engine. If your HSM does not provide an openssl engine, it probably does
provide a PKCS#11 module, and you can use the pkcs11 engine to load it and
use it.
2) In some situations that is not
2013/5/10 Cristian Thiago Moecke cont...@cristiantm.com.br
You have two ways to follow.
2) In some situations that is not possible (e.g. you need it to be signed
on a different remote system). And I just had the same need this week, but
for Certificate Requests. There are a lot of small
On 5/10/2013 5:37 AM, Cristian Thiago Moecke wrote:
You have two ways to follow.
1) To use an HSM to sign, the official way to do it is to use an
openssl engine. If your HSM does not provide an openssl engine, it
probably does provide a PKCS#11 module, and you can use the pkcs11
engine to load
On 5/10/2013 6:17 AM, Krzysztof Konopko wrote:
This could also be handled by some sort of engine that would work in two
modes:
* generate an intermediate result (hash) that can be processed (signed)
I'm looking for advice on how to do that.
at the remote site (how to get it there securely
2) In some situations that is not possible (e.g. you need it to be
signed on a different remote system). And I just had the same need this
week, but for Certificate Requests. There are a lot of small
non-documented things to do in this case but basically you need to:
a) get the der encoded
On Fri, May 10, 2013 at 11:26:35AM -0400, Ken Goldman wrote:
a) get the der encoded value of tbsCertificate field
b) hash it
c) apply pkcs1 padding and sign it
d) put the signature on asn1 form
e) add NIDs and other parameters to the cert_info field you identified.
I spent a lot of time
Cristian Thiago Moecke
contato-pbw9x2wndctn3hn+mpyg4faujnlxr...@public.gmane.org writes:
You have two ways to follow.
1) To use an HSM to sign, the official way to do it is to use an
openssl engine. If your HSM does not provide an openssl engine, it
probably does provide a PKCS#11 module,
From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
Sent: Friday, 10 May, 2013 12:20
On Fri, May 10, 2013 at 11:26:35AM -0400, Ken Goldman wrote:
a) get the der encoded value of tbsCertificate field
b) hash it
c) apply pkcs1 padding and sign it
d) put the signature on