Yo,
[EMAIL PROTECTED] wrote:
Hi Adam,
Thanks for your answer on the OpenSSL mailing list. Firstly, I'm sorry
for contacting you with your personal email address. Currently I can't
join the OpenSSL mailing list (my company has problems with its
reverse DNS zone).
> openssl req -engine LunaCA3 -enginearg 1:10:11 -new -key server.key
-out user.csr
The option "enginearg" is not recognized with OpenSSL 0.9.7b. Which
version are you using ?
The enginearg is a typo, forget it, it is set in the Chrystoki.conf, you
remember the engine stuff from there ...
The following command works, but you are passing the CA private key on
argument . It would also have succeeded without the engine option.
#openssl req -engine LunaCA3 -new -key server.key -out user.csr
The Chrysalis stuff creates a private key file, which is not a true
private key file, instead pointing to the internal key, so if you would
sign some stuff, then the private key file must be the key file stated
before.
To be able to sign a cert the following command is useful:
openssl ca LunaCA3 -config openssl.cnf -cert CA.crt -keyfile CA.key -in
user.csr -out out -batch
What I'd like to do is :
1) generating user private key
#openssl genrsa -out user.key
3) generating user CSR signed with his private key
#openssl req -engine LunaCA3 -new -key user.key -out user.csr
The above statement does not using the Luna, because the generated key
is on the filesystem.
4) sign the user CSR with the CA private key
#openssl ca -engine LunaCA3 -keyform engine -in user.csr
the keyform is not necessary, instead use the -key parameter and point
the special keyfile.
so, if you previously created the root key and cert in the LunaCA3 with
the file named CA.key and CA.crt, then the following would be good:
openssl ca LunaCA3 -config openssl.cnf -cert CA.crt -keyfile CA.key -in
user.csr -out out -batch
The last command produces the messages :
engine "LunaCA3" set.
Using configuration from /usr/local/ssl/openssl.cnf
unable to load CA private key
13224:error:2609607D:engine routines:ENGINE_load_private_key:no load
function:eng_pkey.c:109:
Always the same issue. Any ideas ?
Thanks,
Yo
Adam
Adam Tresch wrote:
[EMAIL PROTECTED] wrote:
Hi Yo,
here is the sample from Chrysalis, how to create a cert:
# open application id 10:11 on slot 1, PED entry will be required
(The app id, must fit with your settings in chrystoki.conf)
ca3util -o -s 1 -i 10:11
# generate a 1024 bit RSA key on slot 1 logged in on app id 10:11
and write the key handles to server.key
ca3util -s 1 -i 10:11 -g 1024 -f server.key
# generate a certificate signing request using token in slot 1
logged in as app id 10:11
openssl req -engine LunaCA3 -enginearg 1:10:11 -new -key
server.key -out user.csr
# close an app id logged in to token in slot 1 with id 10:11
ca3util -c -s 1 -i 10:11
After this, you can sign certs with the following command:
openssl ca -engine LunaCA3 -config openssl.cnf -cert CA.crt -keyfile
CA.key -in user.csr -out out -batch
Hope, this helps
Adam
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
