RE: [OpenCA-Devel] Question about LunaCA3

Mon, 11 Apr 2005 05:53:15 -0700 

Hello,

Just a small note, the Luna patch does not allow you to generate an RSA
key pair using openssl, therefore you have to use the ca3util to do this
job for you, and that is implemented in OpenCA. I would follow what
Chris suggested start with.


Best regards,
Bahaa Al-amood

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:openca-devel-
> [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> Sent: Monday, April 11, 2005 4:14 AM
> To: openca-devel@lists.sourceforge.net
> Subject: Re: [OpenCA-Devel] Question about LunaCA3
> 
> Rastlin,
> 
> OK, before we start, can you confirm that you have OpenSSL talking to
the
> Luna CA3 correctly. As you (probably) know the OpenSSL does not
support
> the Luna devices out of the box, you must patch the source code.
SafeNet
> (ex Chrysalis) only provide a patch for OpenSSL 0.9.7 (I have got it
going
> with OpenSSL 0.9.7e but I had to edit the patch). So have you:
> 
> 1. Patched the OpenSSL 0.9.7 source code with the SafeNet patch
> 2. Installed the SafeNet tools (calogin, cautil etc.)
> 3. Used the cautil tools to check that you have got the CA3 working
> (create a new key pair)
> 4. Used OpenSSL from the command line to check that it can talk to the
CA3
> (something like "openssl rsa -engine LunaCA3 -in /root/test/test.key
-text
> -noout")
> 
> Only when you can do all of the above can you start thinking about
OpenCA.
> 
> Now, OpenCA 0.9.1-7 works with the CA3, but the lowest version of the
> OpenCA 0.9.2 series that is Luna compatable is 0.9.2.2. Earlier
versions
> of 0.9.2 will _not_ work.
> 
> As for your issues with already created keys on the Luna, I think you
will
> be OK as long as you have the "cakey.pem" file. This is a PEM file
> containing a pointer to the location of the private key on the HSM
device.
> What I would do is use OpenCA to create a normal soft key, and then
> replace the cakey.pem (in ../openca/var/crypto/cakeys) file with your
HSM
> generated pem file. This should work fine.
> 
> I hope this helps.
> 
> Chris...
> 
> > I've such problem. Installed openca 0.9.2
> > Installed openssl-0.9.7
> >
> > Configured openssl and openca. Right know when
> > i'm starting openca i have to login to Luna so
> > this is fine.
> >
> > Right now i have a problem witch is:
> > Generate new CA secret key (from openca menu) <- schould i create it
if
> > my secret key is on LunaCa3 ?
> > Anyway i'm creating it and it is in DER format,but couldn't be
> > read in any way
> >
> > /usr/luna_ssl/bin/openssl rsa -engine LunaCA3 -inform DER
> > -in /usr/local/pki/var/crypto/keys/cakey.pem -text
> > ofcourse i'm login in this session to Luna and have initialized
token.
> >
> > engine "LunaCA3" set.
> > unable to load Private Key
> > 1679:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> > tag:a_set.c:179:
> > 1679:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> > tag:tasn_dec.c:939:
> > 1679:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
asn1
> > error:tasn_dec.c:304:Type=RSA
> > 1679:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > lib:d2i_pr.c:96:
> >
> > If i try to read it as a PEM i got inform that there is iqmp
missing.
> > And also when trying to do req (from openca Administrative) i also
got
> > error.
> > First i'm executing this command from web
> >
> > req -new -config /usr/local/pki/etc/openssl/openssl.cnf -subj
> > "/C=PL/O=BLA/OU=Pixel
Technology/CN=BLE/[EMAIL PROTECTED]"
> > -engine LunaCA3 -keyform PEM
> > -key /usr/local/pki/var/crypto/keys/cakey.pem
> > -out /usr/local/pki/var/crypto/reqs/careq.pem
> >
> > and got this error
> > OpenCA::OpenSSL->genReq: Cannot execute command (7777067). engine
> > "LunaCA3" set.
> > unable to load Private Key
> > 1928:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
> > missing:tasn_dec.c:391:Field=iqmp, Type=RSA
> > 1928:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > lib:d2i_pr.c:96:
> > 1928:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > lib:pem_pkey.c:117:
> > error in req
> >
> > I've try to google something without success. Waiting for help.
> >
> > Rastlin
> >
> >
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real
users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> OpenCA-Devel mailing list
> OpenCA-Devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-devel



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to