[openssl-users] Storing private key on tokens

lists lists at rustichelli.net
Wed Oct 4 08:17:32 UTC 2017


On 09/27/2017 11:13 PM, Ken Goldman wrote:
> On 9/27/2017 2:19 PM, Dirk-Willem van Gulik wrote:
>>
>>> On 27 Sep 2017, at 20:02, Michael Wojcik
>>>
>>> The tokens / HSMs I've used don't let you generate a key somewhere
>>> else and install it on the token. They insist on doing the key
>>> generation locally. That is, after all, part of the point of using
>>> a token - the key never leaves it.
>>
>> I've found that the Feitian ePass2000's and the Yubico keys allow for
>> importing of the private key. They do usually want the 'extra' flags
>> to specify use:
>
> FWIW, the TPM hardware also permits key import.  It does validate 
> attributes, so users will know that the key was not generated on chip.
>

Most smart cards (G&D, Oberthur and InCard) I've dealt with allow for 
external generation of RSA keys and import into the token.
Currently I mostly use InCard cards sold in Italy, I can't tell if the 
other brands are still easily purchaseable.




More information about the openssl-users mailing list