On 27 Sep 2017, at 14:22, Dmitry Belyavsky <beld...@gmail.com> wrote:
> What is the most natural way to generate private keys using openssl but store
> them on a specific hardware tokens? Reading/writing is implemented via engine
> mechanism.
>
> I suppose that it should be added support of -outform ENGINE to the genpkey
> command, but do not understatnd how to deal with it after that.
The OpenSC tools integrate nicely (and the yubico toools too with a bit more
fiddling).
You typically end up with constructs like:
${OPENSSL} << EOM || exit 1
engine dynamic -pre
SO_PATH:/Library/OpenSC/lib/engines/engine_pkcs11.so \
-pre ID:pkcs11 \
-pre LIST_ADD:1 -pre LOAD \
-pre MODULE_PATH:opensc-pkcs11.so \
\
XXX -engine pkcs11 -key slot_$SLOT-id_$KID -keyform
engine YYYYYY
EOM
where ‘XX’ and ‘YYY’ are the openssl command and arguments. The slot
information of existing keys does usually need OpenSC or similar; as there is
no easy syntaxtic sugar to get access for the engine (AFAIK):
set `pkcs11-tool --module /Library/OpenSC/lib/opensc-pkcs11.so
--list-slots | grep Slot | grep SCM`
SLOT=$2
set `pkcs15-tool --list-keys | grep ID`
AID=$4
KID=$7
Dw.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
