Hi Andrei, Andrei Korostelev wrote: > To sign a certificate signing request (CSR) in OpenSSL I > use |X509_sign()| function by feeding it with a request > (as |X509_REQ*|), signing key and a digest. > > Now I have my signing key stored in HSM, so I can't extract it to sign > CSR. Unfortunately PKCS#11 does not provide an analogue > to |X509_sign()|. All it has is |C_Sign() / C_SignUpdate() / > C_SignFinal()| family of functions which operate on raw data. > > Can someone help me with sample C/C++ code how to use SoftHSMv2 to sign > CSR created with OpenSSL?
I don't have sample code for you unfortunately; integration between PKCS #11 and OpenSSL normally goes through an OpenSSL PKCS #11 engine. The OpenSC project provides a very limited PKCS #11 engine that they claim will work with any PKCS #11 library (but we haven't tested it explicitly with SoftHSM v2). You could give that a try. https://www.opensc-project.org/opensc/wiki/engine_pkcs11 In the case of commercial HSMs from vendors like SafeNet (now Gemalto) and nCipher (now Thales) they usually supply their own OpenSSL extensions for this purpose. Cheers, Roland -- -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surf.nl/en/about-surf/subsidiaries/surfnet -- e: [email protected]
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
