Hi,
in order to signing certificates it is necessary to
open the hsm with its operator card set
(/opt/nfast/bin/with-nfast pause) before executing the
openssl ca command.
i would like to know how does openca get the hsm
password to load the private key to sign the
certificate? (for example how openca can use the
private key store in hsm throug chil engine) one of
the openssl ca command options is -passin arg, and
openca uses -passin env:pwd, how openca gets the
passwords?
it does not get the password at all. The with-nfast pause command
creates a credentials file in /opt/nfast/kmdata/preload. As long as
this command is running the HSM protected keys are available to
processes that can access this file.
The OpenSSL command is then wrapped using with-nfast -M, making it
possible to use the HSM-protected keys.
It is neither possible nor sensible to pass the Operators SmartCard
passwords through a web application, hence the with-nfast approach.
Martin
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
