Hello all,
I am trying to integrate a new HSM with OpenCA - it is from ERACOM (somebody
has already experience with OrangeServer ?). I have created a new OpenCA::Token
called ERACOM and I have successfully used the Key/Certificate creation
process.
Anyway I have a problem when it comes to the CA/RA Operator's certificates
and KeyPairs. I would like not to use the HSM partition (i.e. generate the
Key within the HSM) for RA/CA because due to configuration options, it
could be impossible to export them. Therefore I need a way to use different
tokens when using the CA key or "other" keys... do you have encountered
the same problem with other HSMs? How did you solved this ?
In detail, the HSM need to use a command line tool to generate internally
a keypair and the openssl to generate the reference to the key (in the
normal cakey.pem file). If I use the same command to generate CA/RA keypairs
the problem is that:
1- It may be impossible to export the keys (depends on the HSM config)
2- Each key is identified by a label assigned during the creation process
it is not possible to create more keypairs with the same label, anyway
in the token.xml configuration I have put only one KEY_ID option (the
one to be used with the CA)
The idea is to not modify the genKey command, instead, to have a way within
the module which enables the two different behaviours.
The fastest solution would be the adoption of ad additional parameter to
the keyGen command in Tokens to identify the key "scope", e.g. CA/RA/Other
and then having the module to perform different actions.
Any ideas ???
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
Tel.: +39 (0)11 564 7081
http://security.polito.it Fax: +39 178 270 2077
Mobile: +39 (0)347 7222 365
Politecnico di Torino (EuroPKI)
Certification Authority Informations:
Authority Access Point http://ca.polito.it
Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html
Certificate Revocation List: http://ca.polito.it/crl02/crl.crl
--o------------------------------------------------------------------------
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
OpenCA-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-devel
