Hi Henri,
from the docs of the module ;)
=head1Configuration
Set I<engine: AWSCloudHSM>and set the I<key>attribute to point to
the fake-key file (supports local file or datapool as with plain
OpenSSL software keys).
best regards
Oliver
On 17.01.24 14:38, henri.sunde...@iki.fi wrote:
Is it possible to configure OpenXPKI with AWS CloudHSM Dynamic Engine?
I tried something like this in crypto.yaml:
casigner:
backend: OpenXPKI::Crypto::Backend::OpenSSL
key: /etc/openxpki/ca/subca_private_ref.pem
engine: cloudhsm
engine_section: |
engine_id = cloudhsm
MODULE_PATH = /opt/cloudhsm/lib/libcloudhsm_openssl_engine.so
#PIN = __PIN__
init = 0
engine_usage: 'ALWAYS'
key_store: OPENXPKI
shell: /opt/openssl/bin/openssl
randfile: /var/openxpki/rand
wrapper: ''
secret: signer
..but that fails to the fact it tries to download a perl module called
cloudhsm.pm.
The main difference to PKCS11 is that the private key reference is a fake
private key pem file. There are no options to be passed, the HSM pin is
expected to be in env variable.
In practice I believe you need to just pass "-engine cloudhsm" to openssl
for thus engine to work.
Br,
//HS
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
