Chris...
Jakub MusiaÅek wrote:
Hy
You got right i've a problem with openssl here is my output of it
/usr/luna_ssl/bin/openssl rsa -engine LunaCA3 -in server.key -text -noout
engine "LunaCA3" set. unable to load Private Key 22277:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field missing:tasn_dec.c:391:Field=iqmp, Type=RSA 22277:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:96: 22277:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_pkey.c:122:
Any idea what's wrong. I tryed to used openssl-0.9.6 witch is provided by Chrysalis and here is output
/root/luna/luna_orig/usr/local/ssl/bin/openssl rsa -engine LunaCA3 -in /root/server.key -text -noout engine "LunaCA3" set. read RSA key unable to load key 22369:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:139: 22369:error:0D080065:asn1 encoding routines:d2i_ASN1_INTEGER:bad object header:a_int.c:204: 22369:error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:116: 22369:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:89: 22369:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290:
I'm loging to Luna by ca3util before of executing all of this.
Rastlin
On Mon, 2005-04-11 at 09:13 +0100, [EMAIL PROTECTED] wrote:
Rastlin,
OK, before we start, can you confirm that you have OpenSSL talking to the Luna CA3 correctly. As you (probably) know the OpenSSL does not support the Luna devices out of the box, you must patch the source code. SafeNet (ex Chrysalis) only provide a patch for OpenSSL 0.9.7 (I have got it going with OpenSSL 0.9.7e but I had to edit the patch). So have you:
1. Patched the OpenSSL 0.9.7 source code with the SafeNet patch 2. Installed the SafeNet tools (calogin, cautil etc.) 3. Used the cautil tools to check that you have got the CA3 working (create a new key pair) 4. Used OpenSSL from the command line to check that it can talk to the CA3 (something like "openssl rsa -engine LunaCA3 -in /root/test/test.key -text -noout")
Only when you can do all of the above can you start thinking about OpenCA.
Now, OpenCA 0.9.1-7 works with the CA3, but the lowest version of the OpenCA 0.9.2 series that is Luna compatable is 0.9.2.2. Earlier versions of 0.9.2 will _not_ work.
As for your issues with already created keys on the Luna, I think you will be OK as long as you have the "cakey.pem" file. This is a PEM file containing a pointer to the location of the private key on the HSM device. What I would do is use OpenCA to create a normal soft key, and then replace the cakey.pem (in ../openca/var/crypto/cakeys) file with your HSM generated pem file. This should work fine.
I hope this helps.
Chris...
I've such problem. Installed openca 0.9.2 Installed openssl-0.9.7
Configured openssl and openca. Right know when i'm starting openca i have to login to Luna so this is fine.
Right now i have a problem witch is: Generate new CA secret key (from openca menu) <- schould i create it if my secret key is on LunaCa3 ? Anyway i'm creating it and it is in DER format,but couldn't be read in any way
/usr/luna_ssl/bin/openssl rsa -engine LunaCA3 -inform DER -in /usr/local/pki/var/crypto/keys/cakey.pem -text ofcourse i'm login in this session to Luna and have initialized token.
engine "LunaCA3" set. unable to load Private Key 1679:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag:a_set.c:179: 1679:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:939: 1679:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=RSA 1679:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:96:
If i try to read it as a PEM i got inform that there is iqmp missing. And also when trying to do req (from openca Administrative) i also got error. First i'm executing this command from web
req -new -config /usr/local/pki/etc/openssl/openssl.cnf -subj "/C=PL/O=BLA/OU=Pixel Technology/CN=BLE/[EMAIL PROTECTED]" -engine LunaCA3 -keyform PEM -key /usr/local/pki/var/crypto/keys/cakey.pem -out /usr/local/pki/var/crypto/reqs/careq.pem
and got this error OpenCA::OpenSSL->genReq: Cannot execute command (7777067). engine "LunaCA3" set. unable to load Private Key 1928:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field missing:tasn_dec.c:391:Field=iqmp, Type=RSA 1928:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:96: 1928:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_pkey.c:117: error in req
I've try to google something without success. Waiting for help.
Rastlin
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ OpenCA-Devel mailing list OpenCA-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-devel
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ OpenCA-Devel mailing list OpenCA-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-devel
