Rodrigo H. Vázquez Cañás wrote:
> Massimiliano,
>
> Thanks for answering.
>
> The main problem is that I can't initialize the CA.
[...]
> OpenCA is working fine with OpenSSL as a Token, but when I enable
> LunaCA token, I can't create the keypair (in the initialization section). So
> I created the keypair manually, but I don't kno how to reference it in the
> token.xml file
Because of the many different tools used to initialize the Tokens, usually you
have
to do it by hand. This means that you have to follow the instructions from the
vendor.
In particular by using LunaSA tools you should be able to create a reference
file that
will be used as the private key in OpenCA. This is not really a private key, it
is
just a reference file, OpenSSL will take in charge to make the proper calls to
the
library that handles the communication to the LunaSA.
Please check you are using the LunaSA-enabled version of OpenSSL (I do not
think the
"normal" version of OpenSSL comes with LunaSA support..) and configure the
token.xml.template to point to the certificate/private key file generated by
using
the modified version of OpenSSL with the proper -engine extensions...
Then, as usual after changing the configuration templates, use the
configure_etc.sh
script...
I worked quite some time ago with two LunaSA appliances.. but I guess the
procedure
is to initialize the HSM and create a partition (i.e. use the 'hsm -init'),
then you
have to follow all the procedures to configure the secure channel with the
LunaSA
(all described in LunaSA docs). Please check the /etc/Chrystoki.conf which
should
look like:
EngineLunaCA3 = {
EngineInit = 1:10:11;
LibPath = /usr/lib/libCryptoki2.so;
}
Then to generate the private key (and the reference file) you can use the
commands:
$ /usr/lunasa/bin/sautil –o –s 1 –i 10:11 –p <partition_password>
and then:
$ /usr/lunasa/bin/sautil –g 1024 –f hsm-ocsp.pem –v –s 1 –i 10:11
the file 'hsm-ocsp.pem' should be your private key file. Now by using the engine
commands you should be able to use the private key stored inside the HSM, for
example to generate a certificate request:
$ openssl req –engine LunaCA3 –new –nodes –key hsm-ocsp.pem \
–out hsm-ocsp.req –subj “/CN=CA Example,O=OpenCA,C=IT”
Most of the configuration options may vary depending on your configuration and
installation, check them by looking at the documentation from the vendor!
--- Max
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
