Hello again:
Aaack - my bad for not re-reading the post - the openssl.cnf section should
be:
[ openssl_init ]
engines = engine_section
oid_section = new_oids
[ engine_section ]
lunahsm = luna_hsm
[ luna_hsm ]
engine_id = LunaCA3
init = 0
Sorry for the confusion.
Patrick.
On September 17, 2008 02:14:59 pm Patrick Patterson wrote:
> Hi Ricardo:
>
> On September 17, 2008 12:52:23 pm Ricardo Garcia Reis wrote:
> > Hey fellows,
> >
> > I want your help, to implement an integration with SafeNet HSM Hardware.
> > I know OpenSSL, but never used with PKCS#11.
>
> The Engine interface is your friend :) And WHICH Safenet HSM? Have you
> taken a look at their SDK? They have several good examples in the OpenSSL
> Appendix there that probably do what you want. The other thing that you
> will need are their patches to OpenSSL to make the engine interface able to
> talk to the HSM, or it will never work.
>
> > I have a HTTPS server and wonders how do I inform the certificate,
> > privatekey and passphrase for the HTTPS handshake using PKCS#11.
> >
> > How to change my functions load_key and load_cert to use PKCS#11 ?? Any
> > Good Sample ?? I Try OPENSC samples, but ..
>
> Did you write this server yourself? If so, then you really should talk to
> Safenet and get the SDK if you don't already have it, and probably a
> development support contract. LibCrystoki and OpenSSL are a bit tricky in
> how they work together :)
>
> Other than that, to get the command line tools working, it should be a
> matter of editing your openssl.cnf file to have something like (if you have
> a CA3, or equivalent - check your documentation):
>
> [ openssl_init ]
> engines = engine_section
> oid_section = new_oids
>
> [ engine_section ]
> lunahsm = luna_hsm
>
> [ smartcard_section ]
> engine_id = LunaCA3
> init = 0
>
> and your /etc/Chrystoki.conf file to have a section that looks like:
>
> EngineLunaCA3 = {
> LibPath = /usr/lunapcm/lib/libCryptoki2.so;
> EngineInit=1:10:11;
> }
>
> And then
>
> # login to the HSM
> sautil -o -s 1 -i 10:11
>
> # do something with s_client
> openssl s_client -connect remoteserver:443 -engine LunaCA3 -key
> sautil-generated.key -cert \ client-cert.pem
>
> # log out of the HSM
> sautil -c -s 1 -i 10:11
>
> But, as I said, it's probably best to talk to SafeNet directly, since the
> entire process of getting the right ".key" file is a bit tricky.
>
> Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
