Thanks for the answer. The API is not very specific about this operation. Please see inline comment.
2009/5/18 <d...@deadhat.com> > > Hello, > > > > Does anybody has any experience with generating a certificate from a > > certificate request, by signing it with an nCipher HSM (the CA key being > > stored on the HSM), through the nCore API? > > I am specifically interested by the actual data stream that I need to > > provide to the HSM for it to sign. > > The mechanism that I intend to use for signing is SHA1 - RSA. > > > > Thank you in advance for your help! > > > > -- > > Silviu Vlasceanu > > > > I tried and failed with the API. I ended up using openssl, with the > following invocation.. > > /opt/nfast/bin/preload --preload-file=/opt/nfast/preload/preloadfile > --name-exact=rsa-<keyname> openssl ca -batch -cert <the signing cert.pem> > -engine chil -keyform engine -keyfile rsa-<keyname> -extensions <your > extensions name> -in <your cert request.pem> -out <your certfilename.pem> > -config ./sign.cnf > > I don't think (but I may be wrong) that the nCipher HSM will turn your > cert request into a well formed cert. It will just sign the formed cert. > You still need openssl or something similar to parse the request and make > a cert. > Let's admit that I already parsed the request and filled the cert with all the required fields, through the OpenSSL API, in a X509 struct. Now which part of the X509 struct should I pass to the HSM for signing? I tried to pass the X509_CINF field in the struct as a char stream, but the HSM does not generate the same signature as OpenSSL would through the X509_sign function, but one longer by 8 bytes (and completely different). > > If you find out how to sign directly through the API, I'd love to know. > There's a ~300ms setup/teardown cost using openssl to drive the HSM, since > it is essentially one cert per session. The API hypothetically lets you > operate much faster, but I could never get it work. > Thanks a lot! -- Silviu > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
