> Hi, > > I am currently setting up a test bed installation for a medium sized PKI > installation. We have chosen OpenCA for Level 2 CA and RA and > want to use HSMs for private key protection. I've set up a OpenCA 0.9.2 > RC4 test install for this purpose. > > We have not yet decided which HSM we are going to use in the end, > but it looks pretty much like we will choose nCipher nFast PCI > modules. > > Currently I have one nFast 150 module for testing, and I can use it > properly with OpenSSL (CHIL engine). I have written some shell > scripts that server well for a rudimentary Root CA, and everything is > running smoothly with it, including access control divided to > two distinct operators for private key operations. > > Now I am trying to figure out the semantic of the LunaCA3 module that is > supported by OpenCA to adapt it for the nCipher module. > > However, I want to include it in OpenCA and would be willing to > contribute my results to the project. Is the OpenCA development > community interested in this? > > I could need some help in identifying what needs to be done to add the > nCipher HSM.
We are really interested to support other crypto hardware too. Especially there was an effort for nCipher to do this in the past but nCipher does not give us any documentation so we abort it. If you want to integrate this in the official release then we (or at minimum I) are willing to help. The most code in the LunaCA module are from Bahaa and me. So questions are welcome. The most important questions for us are the following ones: 1. How does the authentication works? Luna uses it's own hardware based approach so we have not to transfer any passphrases. 2. Does the module support something like a daemon mode? This mean that we want to login and logout explicitly. This requires that we can check the HSM status or we must remember the login state. (The implementation for Luna is a hack too.) 3. Does there be any special issues for the commandline usage of OpenSSL? This means that we need commandline examples for OpenSSL to check our old code for possible incompatibilities. If you have example code or any other questions simply write us. Perhaps the support from nCipher is better if there is a real customer. The experiences with ITS-Chrysalis were really positive. BTW does nFast be a real HSM? I think nSure is the HSM from nCipher. I think nFast is an accelerator but perhaps I'm wrong. Best regards Michael ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
