[Openca-Users] HSM problems! help me please!

Tue, 20 Jul 2010 01:45:06 -0700 

hi MAX!

i have some problems with HSM and i hope that u can help me!
i could install LunaCA4 in RHEL5 with openca samba(latest version with patches)!
openssl needed a patch for LunaCA4 engine but the only patch available by 
company just could work with openssl-0.9.7d and the problem begins! openca 
(samba) works with at least openssl-0.9.8 and the patch was not working any 
more 
and ....
fortunately i could patch openssl-0.9.8 and also openssl -1.0.0 and i installed 
openssl-1.0.0 and now hsm works fine!

in token.xml file i defined another token named ilia as my default token and 
defined lunaca3 section as my CA token! i also added a KEY option to CA token 
because it needs the key!
i initialize my ca and everything is fine till issuing certificates for users! 
after debugging i found out that openssl fails in crypto-utils.lib line 2074 in 
function "crypto_add_pin_to_header" with the following error:

error code:6794
Cannot encrypt PIN-mail! Aborting!
OpenCA::OpenSSL returns errorcode 8010006  (OpenCA::OpenSSL::SMIME->sign: 
unknown problem signing:  2431132:error:0306E06C:bignum 
routines:BN_mod_inverse:no  inverse:bn_gcd.c:491:
2431132:error:21086091:PKCS7 routines:PKCS7_final:pkcs7  
datasign:pk7_smime.c:132:
error in smime
).

i think the problem is this that in SMIME library there is no engine specified 
when trying to sign!
now if i comment this command everything goes on successfully!
i don't know how to solve this problem!

and something that may be useful:
if i set CA token as my default token, while generating key for a new request 
in 
server, it fails with this message: can not convert to pkcs#8! but if i set 
ilia 
token as my default token everything goes fine!
do you know something about this?



i will appreciate any help u or someone else can give me!

regards,
alireza.



      
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to