Carl Youngblood wrote:
Christian Schneider wrote:
the problem is that you do not only need a public/private key pair but also a certificate. If you generate the key on the card with xcard then the private key is normally not readable. That is one of the core security features of smartcards. But if you want to issue a certificate signing request you need to sign it with your private key to proof that you own the key and have the right to get the certificate for this key. As openssl does not work with muscle yet you can not sign the csr.
Thanks so much for your detailed response. Am I to understand from this that the muscle PKCS11 layer is incomplete? Or just that cert signing is not a part of PKCS11?
Exactly..
Singning itself is part of pkcs#11 but signing of certificate requests is not.
The development version of openssl includes a pkcs#11 interface. So with the next version it should be possible to use openssl to generate a certificate request with non extractable keys.
But at he moment there is no other way than generating the key externally and importing it later.
best regards,
Christian
Carl Youngblood
------------------------------------------------------------------------
_______________________________________________
Muscle mailing list
[EMAIL PROTECTED]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle
