On July 22, 2009 04:00:15 pm Eduardo M.Cavalcanti wrote: > Hello, > In case I use a HSM to generate a certificate request is it possible > to differentiate this cerificate request from a certificate request > issued from plain openssl? Short answer: no.
Longer answer: Still no, but if you are working in a policy constrained environment, then you can legally (via a contract enforceable in the courts and an audit to ensure compliance) require your subscribers to generate their keys in whatever your policy requires. Another possible case is that your subscribers are using a web interface that you control that triggers the private key creation. In which case, there are certain parameters that you can give to XEnroll, CEnroll, etc., that only allows the user to choose a "Hardware" based key generation system. Of course, as several people have already complained about in other fora, this is a Windows centric view, and the Safari/Mozilla/Opera folks are still stuck with either generateCRMFRequest (which creates a request in a format that very few can consume), or the KEYGEN tag (which, while it uses SPKAC instead of PKCS#10, at least it's been around long enough to gain a modicum of adoption). However, neither of these methods allows you to add any constraints whatsoever on the key generation location, capabilities, or container. Of the two, the "get them to sign a contract wherein they promise to only use keys generated in hardware" method is probably the most reliable. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
