RE: [OpenCA-Devel] Question about LunaCA3

Mon, 11 Apr 2005 06:06:25 -0700 

Hi Bahaa

I'm creating key by ca3util ofcourse.
And just try to verify it by openssl rsa NOT openssl genrsa

This errors are from openssl rsa.

Rastlin

On Mon, 2005-04-11 at 08:31 -0400, Alamood, Bahaaldin wrote:
> Hello,
> 
> Just a small note, the Luna patch does not allow you to generate an RSA
> key pair using openssl, therefore you have to use the ca3util to do this
> job for you, and that is implemented in OpenCA. I would follow what
> Chris suggested start with.
> 
> 
> Best regards,
> Bahaa Al-amood
> 
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:openca-devel-
> > [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> > Sent: Monday, April 11, 2005 4:14 AM
> > To: openca-devel@lists.sourceforge.net
> > Subject: Re: [OpenCA-Devel] Question about LunaCA3
> > 
> > Rastlin,
> > 
> > OK, before we start, can you confirm that you have OpenSSL talking to
> the
> > Luna CA3 correctly. As you (probably) know the OpenSSL does not
> support
> > the Luna devices out of the box, you must patch the source code.
> SafeNet
> > (ex Chrysalis) only provide a patch for OpenSSL 0.9.7 (I have got it
> going
> > with OpenSSL 0.9.7e but I had to edit the patch). So have you:
> > 
> > 1. Patched the OpenSSL 0.9.7 source code with the SafeNet patch
> > 2. Installed the SafeNet tools (calogin, cautil etc.)
> > 3. Used the cautil tools to check that you have got the CA3 working
> > (create a new key pair)
> > 4. Used OpenSSL from the command line to check that it can talk to the
> CA3
> > (something like "openssl rsa -engine LunaCA3 -in /root/test/test.key
> -text
> > -noout")
> > 
> > Only when you can do all of the above can you start thinking about
> OpenCA.
> > 
> > Now, OpenCA 0.9.1-7 works with the CA3, but the lowest version of the
> > OpenCA 0.9.2 series that is Luna compatable is 0.9.2.2. Earlier
> versions
> > of 0.9.2 will _not_ work.
> > 
> > As for your issues with already created keys on the Luna, I think you
> will
> > be OK as long as you have the "cakey.pem" file. This is a PEM file
> > containing a pointer to the location of the private key on the HSM
> device.
> > What I would do is use OpenCA to create a normal soft key, and then
> > replace the cakey.pem (in ../openca/var/crypto/cakeys) file with your
> HSM
> > generated pem file. This should work fine.
> > 
> > I hope this helps.
> > 
> > Chris...
> > 
> > > I've such problem. Installed openca 0.9.2
> > > Installed openssl-0.9.7
> > >
> > > Configured openssl and openca. Right know when
> > > i'm starting openca i have to login to Luna so
> > > this is fine.
> > >
> > > Right now i have a problem witch is:
> > > Generate new CA secret key (from openca menu) <- schould i create it
> if
> > > my secret key is on LunaCa3 ?
> > > Anyway i'm creating it and it is in DER format,but couldn't be
> > > read in any way
> > >
> > > /usr/luna_ssl/bin/openssl rsa -engine LunaCA3 -inform DER
> > > -in /usr/local/pki/var/crypto/keys/cakey.pem -text
> > > ofcourse i'm login in this session to Luna and have initialized
> token.
> > >
> > > engine "LunaCA3" set.
> > > unable to load Private Key
> > > 1679:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> > > tag:a_set.c:179:
> > > 1679:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> > > tag:tasn_dec.c:939:
> > > 1679:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
> asn1
> > > error:tasn_dec.c:304:Type=RSA
> > > 1679:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > > lib:d2i_pr.c:96:
> > >
> > > If i try to read it as a PEM i got inform that there is iqmp
> missing.
> > > And also when trying to do req (from openca Administrative) i also
> got
> > > error.
> > > First i'm executing this command from web
> > >
> > > req -new -config /usr/local/pki/etc/openssl/openssl.cnf -subj
> > > "/C=PL/O=BLA/OU=Pixel
> Technology/CN=BLE/[EMAIL PROTECTED]"
> > > -engine LunaCA3 -keyform PEM
> > > -key /usr/local/pki/var/crypto/keys/cakey.pem
> > > -out /usr/local/pki/var/crypto/reqs/careq.pem
> > >
> > > and got this error
> > > OpenCA::OpenSSL->genReq: Cannot execute command (7777067). engine
> > > "LunaCA3" set.
> > > unable to load Private Key
> > > 1928:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
> > > missing:tasn_dec.c:391:Field=iqmp, Type=RSA
> > > 1928:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > > lib:d2i_pr.c:96:
> > > 1928:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > > lib:pem_pkey.c:117:
> > > error in req
> > >
> > > I've try to google something without success. Waiting for help.
> > >
> > > Rastlin
> > >
> > >
> > 
> > 
> > 
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real
> users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > OpenCA-Devel mailing list
> > OpenCA-Devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/openca-devel
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
> _______________________________________________
> OpenCA-Devel mailing list
> OpenCA-Devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-devel

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to