dear martin, thank you for your answer :) i found a document that explains what you say about with-nfast command line utility and its credentials file, if someone wants to read it: www.juniper.net/techpubs/hardware/dx/fips_supplement.pdf
martin i still have a little doubt about how the openssl command is wrapped with with-nfast -M, could you give me some hints please? maybe the openssl command is wrapped with: /opt/nfast/bin/with-nfast openssl ca .... am i wrong? by other hand martin, i would like to know if you could help me to load openssl ENGINE CHIL (ncipher) from an application in C++. i was studying openca to know how it got the keys stored in hsm, and you have explained me how it happens. what i really want to do is loading openssl engine CHIL in my graphical application when the user has to load privates keys stored in hsm for example to sign certificates (my software is a CA). i apreciate all help you can give me :) best regards antonio araujo brett --- Martin Bartosch <[EMAIL PROTECTED]> escribió: > Hi, > > > in order to signing certificates it is necessary > to > > open the hsm with its operator card set > > (/opt/nfast/bin/with-nfast pause) before executing > the > > openssl ca command. > > > > i would like to know how does openca get the hsm > > password to load the private key to sign the > > certificate? (for example how openca can use the > > private key store in hsm throug chil engine) one > of > > the openssl ca command options is -passin arg, and > > openca uses -passin env:pwd, how openca gets the > > passwords? > > it does not get the password at all. The with-nfast > pause command > creates a credentials file in > /opt/nfast/kmdata/preload. As long as > this command is running the HSM protected keys are > available to > processes that can access this file. > The OpenSSL command is then wrapped using with-nfast > -M, making it > possible to use the HSM-protected keys. > > It is neither possible nor sensible to pass the > Operators SmartCard > passwords through a web application, hence the > with-nfast approach. > > Martin > > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support > web services, security? > Get stuff done quickly with pre-integrated > technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 > based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > OpenCA-Devel mailing list > OpenCA-Devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openca-devel > __________________________________________________ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! Regístrate ya - http://correo.espanol.yahoo.com/ ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ OpenCA-Devel mailing list OpenCA-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-devel
