[EMAIL PROTECTED] wrote:
Hi,
I'm trying to sign a CSR with a private key stored on a Luna CA3
token. I use for this 2 versions of OpenSSL :
- The first one is provided by SafeNet : openssl-lunaca3-0.9.6-5.i386.rpm
- The second one is constructed from OpenSSL 0.9.7b with the patch
openssl-lunaca3-patch-0.9.7.tar
The token is placed on slot 1, then
- initialized with a 1024bit RSA private key ; command = ca3util -g
1024 -f server.key -s 1 -i 4:2
- activated with the enabler command :
Hi Yo,
here is the sample from Chrysalis, how to create a cert:
# open application id 10:11 on slot 1, PED entry will be required (The
app id, must fit with your settings in chrystoki.conf)
ca3util -o -s 1 -i 10:11
# generate a 1024 bit RSA key on slot 1 logged in on app id 10:11
and write the key handles to server.key
ca3util -s 1 -i 10:11 -g 1024 -f server.key
# generate a certificate signing request using token in slot 1
logged in as app id 10:11
openssl req -engine LunaCA3 -enginearg 1:10:11 -new -key
server.key -out user.csr
# close an app id logged in to token in slot 1 with id 10:11
ca3util -c -s 1 -i 10:11
After this, you can sign certs with the following command:
openssl ca -engine LunaCA3 -config openssl.cnf -cert CA.crt -keyfile
CA.key -in user.csr -out out -batch
Hope, this helps
Adam
As you can see, the RSA key is present :
# pkcs11-tool --module /usr/luna/lib/libcrystoki2.so -O
Public Key Object; RSA 1024 bits
label: RSA 1024-bit Public Key
Usage: encrypt, verify
Private Key Object; RSA
label: RSA 1024-bit Private Key
ID: 6964
Usage: decrypt, sign
The token is activated :
# enabler
==============================================================================
Slot 1: token present. Application
ACTIVATED
token type : Luna CA3 label :
test serial number : 35085 open
sessions : 4
------------------------------------------------------------------------------
The HSM is configured as below :
#more /etc/Chrystoki.conf
Chrystoki2 = {
LibUNIX=/usr/lib/libcrystoki2.so;
}
CardReader = {
RemoteCommand=1;
}
Luna = {
DefaultTimeOut=500000;
PEDTimeout1=100000;
PEDTimeout2=100000;
}
Misc = {
AppIdMajor=4;
AppIdMinor=2;
LogFile = /var/log/lunaca3.log;
}
EngineLunaCA3= {
EngineInit = 1:4:2;
LibPath = /usr/luna/lib/libcrystoki2.so;
}
Each time I try to load a key from the token, an error occurs whatever
the version of OpenSSL :
/usr/local/ssl/bin/openssl req -engine LunaCA3 -keyform engine -text
-key "RSA 1024-bit Private Key:1" -out cr.pem
Using configuration from /usr/local/ssl/openssl.cnf
engine "LunaCA3" set.
unable to load Private key
9510:error:2609607D:engine routines:ENGINE_load_private_key:no load
function:engine_lib.c:239:
I notice the same issue when I change the content of the -key option
with : 6964, 6964:1... I tried all sorts of strings without success.
Has anyone been able to sign, decrypt files with OpenSSL and an HSM
SafeNet Luna CA3 ??? Is there another way to perform those operations
without OpenSSL ? It seems possible wth the command pkcs11-tool (from
OpenSC project) but I can't make it work
Thanks in advance for your help,
Regards,
Yo.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
