The command was wrong. here is the good one: OpenSSL> ca -engine pkcs11 -keyfile id_45 -keyform engine -in req.pem -out cert.pem -config tools/conf/openssl.cnf
By Philippe. Selon [EMAIL PROTECTED]: > > Hi > > i have the following environement: > - openssl 9.8.a > - openct/opensc/pkcs11_engine > - etoken USB Pro 64 > - Fedora Core 5 > > My Target is to setup a small PKI using openssl ca and to use the etoken to > host > the root private key. > > So i have initialize the token: > $ opensc-tool --list-reader > Readers known about: > Nr. Driver Name > 0 openct Aladdin eToken PRO 64k > 1 openct OpenCT reader (detached) > 2 openct OpenCT reader (detached) > 3 openct OpenCT reader (detached) > 4 openct OpenCT reader (detached) > $ pkcs15-init --create-pkcs15 > $ pkcs15-init --store-pin --auth-id 01 --label "xxx" > $ pkcs15-init --store-private-key key.pem --id 45 --auth-id 01 > $ pkcs15-tool --list-keys -auth-id 01 > Private RSA Key [Private Key] > Com. Flags : 3 > Usage : [0x4], sign > Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local > ModLength : 2048 > Key ref : 16 > Native : yes > Path : 3f005015 > Auth ID : 01 > ID : 45 > > I have build a CSR using the req command of openssl > > Then i try to sign this CSR using the private key inside the otken > $ openssl > OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre > ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre > MODULE_PATH:/usr/lib/opensc-pkcs11.so > > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so > Loaded: (pkcs11) pkcs11 engine > > OpenSSL> ca -engine pkcs11 -key id_45 -in req.pem -out cert.pem -config > tools/conf/openssl.cnf > Using configuration from tools/conf/openssl.cnf > engine "pkcs11" set. > unable to load CA private key > 32293:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad > decrypt:evp_enc.c:454: > 32293:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425: > error in ca > > Any idea on the issue ? Is it the right way to build a ca command using an > engine? > > Thanks > > Philippe. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
