[OpenCA-Devel] OpenCA Integration with LunaSA HSM - Good News

Mon, 24 Nov 2003 06:19:07 -0800 

Guys,

just to let you know that I have successfully stood up an openCA installation 
with root key generation on a Chrysalis ITS LunaSA network HSM device !

The details:

OpenCA 0.9.1-1
OpenSSL 0.9.7
Chrysalis ITS OpenSSL patch specific for 0.9.7
LunaSA device located in Chrysalis test labs
Chrysalis HSM utility = /usr/lunasa/bin/sautil

Configuration
-------------
From the ca.conf

openSSLEngine                   "LunaCA3"
opensslEngineArg                ""
HSM_LOGIN_CMD           "/usr/lunasa/bin/sautil -o -s 1 -i 10:11 -p my_password"
HSM_LOGOUT_CMD          "/usr/lunasa/bin/sautil -c -s 1 -i 10:11 -p my_password"
HSM_GENKEY_CMD          "/usr/lunasa/bin/sautil -s 1 -i 10:11 -g @__BITS__@ -f 
@__OUTFILE__@ -p my_password"

Comments
--------

There are two areas that I think we need to look at:

1. Passwords in the config file.
Because the SA is a network attatched device, many applications can make use 
of the device to store keys and perform crypto actions. The access to the 
partition is via a certificate, knowledge of the access ID (the 10:11 in the 
example above) and a password. At the moment because this idea of a password 
is new there is no facility to pass the password to the command line and 
therefore I had to put the password in the config file for login, logout and 
key generation. A better way to do this would be to collect the password from 
the user and send it to the command line after the "-p". This means that the 
password is not written down anywhere.

2. Root CA key password now not required.
The actions at the CA are now:
        a. Log on to HSM
        b. Perform CA functions
        c. Log out of HSM

Because you are logged onto the HSM you now do not need to enter a password 
(when signing a CRL for instance) for the CA root key. What ever password you 
type into the CA Password field it is just disgarded. So I would propose a 
modification to not ask for a CA password if you are using an HSM.

I shall have a look into these areas, but I am sure my code will be just a 
bodge !!!!!

Chris...


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to