On Thu, Mar 08, 2012, Nou Dadoun wrote: > Thanks for the response, I'm trying to allow end-users to use commercially > purchased certificates so I'd rather not make the assumption that the key is > exportable. > > Using the capi engine sounds like a viable alternative, but I've had trouble > tracking down details on how to use it. > > Unfortunately I have a few restrictions; we're fips-certified on openssl > 0.98n so that's the version I'm stuck with (without recertifying). I also > want to use the crypto api directly to tell it which certificate to load and > use (i.e. user configurable through a gpo setting) and then have the engine > use that certificate for the ssl handshake to the peer. > > I've read the O'Reilly section on Engines but it's pretty rudimentary and > doesn't touch the capi engine, do you have a pointer to any user > documentation that might have some examples on using the capi engine? >
If you need all crypto to be FIPS compliant (for some value of compliant) that's a can of worms because the relevant CSPs might not be and you'd be mixing various cryptographic operations across boundaries. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
