> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Dmitry Belyavsky > Sent: Wednesday, September 27, 2017 06:22 > To: openssl-users@openssl.org > Subject: [openssl-users] Storing private key on tokens
> What is the most natural way to generate private keys using openssl but store > them on a specific hardware tokens? > Reading/writing is implemented via engine mechanism. The tokens / HSMs I've used don't let you generate a key somewhere else and install it on the token. They insist on doing the key generation locally. That is, after all, part of the point of using a token - the key never leaves it. Some tokens and HSMs support key backup and restore, e.g. Nitrokey HSM's DKEK share mechanism, but that's deliberately not open to "restoring" some arbitrary private key onto the device. So this wouldn't make much sense for the pkcs11 engine, even if PKCS#11 provided an API for it. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
