> On 27 Sep 2017, at 20:02, Michael Wojcik <[email protected]>
> wrote:
>
>> What is the most natural way to generate private keys using openssl but
>> store them on a specific hardware tokens?
>> Reading/writing is implemented via engine mechanism.
>
> The tokens / HSMs I've used don't let you generate a key somewhere else and
> install it on the token. They insist on doing the key generation locally.
> That is, after all, part of the point of using a token - the key never leaves
> it.
I've found that the Feitian ePass2000's and the Yubico keys allow for importing
of the private key. They do usually want the 'extra' flags to specify use:
pkcs15-init --store-private-key .ssh/id_rsa-foo --auth-id 01
--key-usage sign,decrypt --label "ssh key of [email protected]"
and some fail silently when you do not provide these.
Dw.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
