Hi Martin, > while trying to get OpenCA going with my shiny nCipher module I am > experiencing some weird problems concerning configuration.
We don't tested 0.9.2 until now with an engine ... > In order to access the module I changed the 'openssl_engine' > configuration value in config.xml: > > <!-- =========== --> > <!-- HSM support --> > <!-- =========== --> > <option> > <name>openssl_engine</name> > <value>chil -keyform e</value> > </option> > <option> > <name>hsm_utility</name> > <value></value> > </option> > <option> > <name>hsm_slot</name> > <value></value> > </option> > <option> > <name>appid</name> > <value></value> > </option> I completely removed this section from config.xml. I commit it on friday. > Then I modified token.xml. In particular I added a WRAPPER (thanks, > Michael) and changed the KEY value to reference the key name that > already exists in the HSM module. Please check the example configuration for more details and see in LunaCA3.pm how we initialize the OpenSSL module. > <type>OpenSSL</type> PLEASE write your own module. Do not simply use OpenSSL. Please write a module nFast or nCipher::nFast. You can use LunaCA3 in modules/openca-crypto/Token/ as an example. > After running configure_etc.sh the corresponding > etc/servers/ca.conf file reads: > > [...] > ## Crypto Section > ## ============== > openssl "/usr/local/ssl/bin/openssl" > [...] > ## HSM configuration > ## ================= > > ## Example: LunaCA3 > > ## opensslEngine "LunaCA3" > ## opensslEngineArg "-enginearg 1:10:11" > opensslEngine "chil -keyform e" > opensslEngineArg "-enginearg :@hsm_appid@" > > HSM_LOGIN_CMD " -o -s -i @hsm_appid@" > HSM_LOGOUT_CMD " -c -s -i @hsm_appid@" > HSM_GENKEY_CMD " -s -i @hsm_appid@ -g @__BITS__@ -f @__OUTFILE__@" I removed it from ca.conf. > I know that the above opensslEngineArg is not suitable for my HSM, but > it DOES exist. However, when starting the OpenCA server it > does not seem to find this configuration entry. (It reads the > opensslEngine variable without problems.) > It seems that the opensslEngineArg parameter is simply ignored. Simply forget this stuff. The correct way is to write your own module and build a parameter ENGINE in this module. Like usual LunaCA3.pm is an example. Internally we use "openssl ca -engine ENGINE ..." where ENGINE is the stuff which you set in OpenSSL's ENGINE parameter. Actually I'm searching for your examples. Can you send me an example to sign a certificate with the CA command or to create a request? Michael ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
