Dear Martin,
Please guide us where we are stuck in the HSM configuration in OpenXPKI or how
can we debug it?what else debug information you want from on this ?
CheersScotty
On Thursday 12 September 2024 at 03:58:10 pm GMT+5, Martin Bartosch
<vc-...@cynops.de> wrote:
Scott,
> Am 12.09.2024 um 11:49 schrieb Scott Thomas via OpenXPKI-users
> <openxpki-users@lists.sourceforge.net>:
>
> I am using this config:
>
> ca-signer:
> backend: OpenXPKI::Crypto::Backend::OpenSSL
> key: "label_SubCA"
> engine: PKCS11
> engine_section: |
> engine_id = pkcs11
> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
> MODULE_PATH = /usr/local/cloud/lib/libcloudP11.so
> #PIN = __PIN__
> init = 0
> engine_usage: 'ALWAYS'
> key_store: ENGINE
> shell: /usr/bin/openssl
> randfile: /var/openxpki/rand
> wrapper: ''
> secret: signer
>
> signer:
> label: CloudHSM PIN
> method: literal
> value: 12345678
> cache: daemon
>
>
> but I am getting error:
>
> 2024/09/12 15:31:12 ERROR OpenSSL error: Engine "pkcs11" set.
> Unable to load module /usr/local/primus/lib/libprimusP11.so
> PKCS11_get_private_key returned NULL
> Could not read signing key from org.openssl.engine:pkcs11:SubCA
> 40F79A63977F0000:error:41800005:PKCS#11 module:ERR_CKR_error:General
> Error:p11_load.c:90:
> 40F79A63977F0000:error:40000067:pkcs11 engine:ERR_ENG_error:invalid
> parameter:eng_back.c:603:
> 40F79A63977F0000:error:13000080:engine
> routines:ENGINE_load_private_key:failed loading private
> key:../crypto/engine/eng_pkey.c:79:
> [pid=2071|sid=sgtO|rid=556660de6cf0]
> 2024/09/12 15:31:12 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
> __COMMAND__ => cms -sign -binary -nosmimecap -outform PEM -nodetach -engine
> pkcs11 -keyform engine -in /var/tmp/openxpki2071V2OtZFyj -inkey SubCA -signer
> /var/tmp/openxpki2071McLeRFK0 -out /var/tmp/openxpki2071gKQnQ0Wv -passin
> env:pwd, __EXIT_STATUS__ => 512 [pid=2071|sid=sgtO|rid=556660de6cf0]
>
> I've tired passing the key as key: "slot_0-label_SubCA" and key:
> "object=SubCA" but still it did not work, the below command works when i use
> these same attributes in terminal.
>
> openssl cms -sign -binary -nosmimecap -outform PEM -nodetach -engine pkcs11
> -keyform engine -in request.csr -inkey pkcs11:object=SubCA -signer subca.crt
> -out signed_crt.crt -passin pass:12345678
Your configuration does not match the error message, so you have obviously
edited one of them. And your sample command line's key specification does not
match your OpenXPKI configuration, so why do you expect that it works in
OpenXPKI?
Martin
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
