Seems to be a problem of function name, infact making another
genKey2() in OpenSSL.pm the code passes the if(), but then another
problem arises.
The next code:
## generate PKCS#10 request
$req = new OpenCA::REQ (
SHELL => $cryptoShell,
GETTEXT => \&i18nGettext,
KEYFILE => $keyFile,
SUBJECT => $dn,
PASSWD => $PASSWD,
FORMAT => "PEM");
causes an OpenSSL command line like this: (I read it in the logfile)
req -new -config /home/openca-installed/etc/openssl/openssl.cnf
-passin env:pwd -subj "/C=IT/O=PKI/OU=Internet/CN=Administrator
PKI/[EMAIL PROTECTED]" -engine LunaCA3 -keyform PEM
-outform PEM -key /home/openca-installed/var/tmp/key_3715.pem -out
/home/openca-installed/var/tmp/3715_req.pem
but this will not work, because the key_3715.pem is not on the token,
so OpenSSL fails with:
3721:error:81073076:LunaCA3 engine:LUNA_RSA_PRIVATE_ENCRYPT:key not
found on token:hw_lunaca3.c:1424:
3721:error:0D080006:asn1 encoding routines:ASN1_sign:EVP lib:a_sign.c:275:
error in req
At this point I don't understand: am I misunderstanding the process ?
or there is a problem on this part of OpenCA ? i.e., the CA operator
certificate (and similar things happens with RA certificate) is a
normal certificate, not a CA certificate, so the key pair should not
be generated on the HSM token ?
On 7/1/05, Diego de Felice <[EMAIL PROTECTED]> wrote:
> Hi again, after setting to work LunaCA3 with OpenCA, I have
> encountered another problem. I've generated correctly the CA
> certificate using the HSM, but when creating the initial administrator
> of the CA, there is a strange behaviour: in lib/cmds/basic_csr this
> code
>
> ## create the key
> if( not $cryptoShell->genKey(
> BITS => $bits,
> OUTFILE => $keyFile,
> ALGORITHM => $alg,
> PASSWD => $PASSWD ) ) {
> generalError (gettext ("Cannot create keypair!").
> "<br>".$OpenCA::OpenSSL::errno,
> $OpenCA::OpenSSL::errno);
> }
>
> instead of calling the genKey() of
> perl5/i386-linux-thread-multi/OpenCA/OpenSSL.pm, it calls the genKey()
> of perl5/OpenCA/Token/LunaCA3.pm and this obviously doesn't work
> because the parameters are different and because in basic_csr the key
> must be generated not on HSM token!
>
> How can this be possible ? only because the two functions have the
> same name ? or other ?
>
> --
> Diego de Felice
>
--
Diego de Felice
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id�492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
