Hi, I've read the archives... but could somebody give me some pointers for use of HSM using "openssl" option with openCA 0.9.1.5 please ? I hope this works with ActivKey (USB token), but I'm not sure (I'm even almost unsure) that this token is directly supported by openssl. In fact I'd like every CA private key to be on a token, this would be fine. Why are there so much trouble with tokens and communication with them ? Isn't there a standardized API token manufacturer would rely upon to use with IE/Netscape ? Wouldn't openCA do the same ?
HSM and Tokens generally are a difficult area. There are four types of tokens (which we know) - tokens which have PKCS#11 driver, tokens which are supported by OpenSSL, tokens which are supported by OpenSC and token which partly supported by OpenSSL. Generally I'm talking here about HSMs to store the CA's private key. I don't write about user smartcards.
PKCS#11 driver
==============
There are HSMs which have an own PKCS#11 driver. This is the most common standard. The problem is that OpenSSL does not have a default PKCS#11 driver. We hope on OpenSC. OpenSC developed an own PKCS#11 driver and vendor independent PKCS#11 driver for OpenSSL. The problem is that I don't get my CardOS card working with OpenSC until now :( If I have a which works with OpenSC then I start developing the driver for OpenCA.
tokens which are supported by OpenSC
====================================
same as for PKCS#11 driver - if I have a working OpenSC setup then there will be an OpenCA driver.
tokens which are supported by OpenSSL
=====================================
These tokens can be configured via OpenCA's engine argument in the configuration.
tokens which are partly supported by OpenSSL
============================================
Such tokens requires the eplicit programming of a driver for OpenCA. LunaCA3 is such a token. We have a driver for these tokens.
Finally you see we only support LunaCA3 and fully OpenSSL comliant tokens until now. This will only change if one has a working OpenSC setup and can test the driver for OpenSC. I can write an OpenSC driver but I cannot test it. So if somebody has a working OpenSC setup and is willing to test ...
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
