Alexei Khlebnikov wrote:
On Fri, 13 Nov 2009 13:25:30 +0100, Mansour Dagher
<[email protected]> wrote:
If certificates and private keys are stored on hardware (Sun Crypto
card fo example) instead of the filesystem, is there a way in openssl
to specify the hardware as the location of these certificates.
Any thoughts/suggestions?
An obvious idea is to retrieve the key and cert yourself and then give
them to OpenSSL in DER or PEM format, for example using d2i_X509,
d2i_X509_bio, PEM_read_bio_X509_AUX, etc.
Note that some products either come with a pre-build openssl engine
(e.g. the various PCI cards) which you can refernce with something like:
openssl x509 -engine nsp4 -keyform engine \
-key DSA-public:1:12 -text -out cert.pem
openssl smime -sign -engine luna2 -in email.txt \
-out signed.email.txt \
-signer cert.pem -keyform engine -inkey DSA-Public:1:12
while others provide a pkcs15 or similar interface which you can then
call as a generic engine; e.g. through OpenSC. So then the path is
openssl -> pkcs15 -> smart-card/hardware specific.
Thanks,
Dw.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
