Hi, > As I know, openxpki supports PKCS#11 interface via OpenSC > I'm making a Lab to implement a CA with signer key protected inside HSMs such > as SmartCard-HSM or Nitrokey, in documentation there is an example for > YubicoHSM but I don't get the full idea and the required steps, > I tried to adapt the YubicoHSM example with SmartCard-HSM but no luck till > now, there is no errors in log, but still no signer, > Is it enough to set the right token in crypto.yaml file with the matching > secret? > Is there anything to put in the database or some command to execute? > How to select which signer key within the token to use?
What Oliver said, and some additional background informatino: OpenXPKI natively supports PKCS#11 via OpenSSL. I suggest to start outside OpenXPKI, set up the HSM so you can use it from the command line via OpenSSL. Figure out how tokens and keys are properly referenced and which settings are required to make things work with the HSM. This is dependent on the hardware's PKCS#11 library. While you are at it, create a CSR for your CA signing key with your HSM protected key via OpenSSL. Issue the CA certificate, import it as a CA token in the OpenXPKI realm and make sure that the configuration references the correct and matching private key protected by the HSM. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
