On Sat, Nov 21, 2009, Frederik Mennes wrote: > Hi all, > > > > I am currently building a CA using the OpenSSL crypto library. Private keys > will be stored inside an HSM. Therefore I'm considering the EVP interface as > it allows using an engine towards an HSM. > > > > Examples of operations involving private keys that need to be supported are: > > 1. Signing a given message 2. Signing an X.509 certificate 3. Signing > a > PKCS #10 certificate request 4. Signing an OCSP response message > > Example (1) is easy to support using the EVP_Sign functions. > > > > However the three other examples are more complicated. For example 1, the > x509_sign() function does not work with private keys inside an HSM, and the > EVP interface does not have functions for signing an X.509 certificate. >
They can all be supported. OpenSSL provides an ENGINE interface where an EVP_PKEY can be loaded from an HSM. That key can then be used in the same way as a non-HSM key. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
