Hello, On Feb 18, 2011, at 12:30 AM, NdK wrote: > On 17/02/2011 22:55, Andreas Jellinghaus wrote: > >> no, that wiki page is correct and works for me - done it a hundred times. >> it uses the key on the card, and the card does the signature (you cannot >> read the private key, a smart card won't ever give it to you). > Yup. That's why keys are generated on card :) Unless the key is exportable ....
If you want to sign certificates with a smart card (run a CA against a PKCS#11 token) then EJBCA is the most feature complete solution I know. But most probably too much hassle for a few certificates for home use. > *But* if I specify a slot too, it asks me for a PIN. Too bad *none* of > the PINs I created works: > $ openssl req -days 3650 -new -out rootca.csshl.org.csr -config > openssl.conf -engine pkcs11 -keyform engine -key 1:10 -sha1 Have you tried some other format? slot_XX:id_XX ? (even though it should be the same). Having OpenSC log with the relevant C_OpenSession() and C_Login lines is useful as well. > engine "pkcs11" set. > PKCS#11 token PIN: > Login failed > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 3074688648:error:800050A4:Vendor defined:PKCS11_login:PIN > locked:p11_slot.c:157: > 3074688648:error:26096080:engine routines:ENGINE_load_private_key:failed > loading private key:eng_pkey.c:126: > unable to load Private Key > > I obviously tried all the PINs (included SOPIN). The strange thing is > that NO PIN is locked after all the tries I did... Is any PIN locked or counter decreasing? What is the output of pkcs11-tool --module /path/to/pkcs11.so -L ? -- @MartinPaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
