[openssl-users] Storing private key on tokens
Dirk-Willem van Gulik
dirkx at webweaving.org
Wed Sep 27 12:51:45 UTC 2017
On 27 Sep 2017, at 14:22, Dmitry Belyavsky <beldmit at gmail.com> wrote:
> What is the most natural way to generate private keys using openssl but store them on a specific hardware tokens? Reading/writing is implemented via engine mechanism.
>
> I suppose that it should be added support of -outform ENGINE to the genpkey command, but do not understatnd how to deal with it after that.
The OpenSC tools integrate nicely (and the yubico toools too with a bit more fiddling).
You typically end up with constructs like:
${OPENSSL} << EOM || exit 1
engine dynamic -pre SO_PATH:/Library/OpenSC/lib/engines/engine_pkcs11.so \
-pre ID:pkcs11 \
-pre LIST_ADD:1 -pre LOAD \
-pre MODULE_PATH:opensc-pkcs11.so \
\
XXX -engine pkcs11 -key slot_$SLOT-id_$KID -keyform engine YYYYYY
EOM
where ‘XX’ and ‘YYY’ are the openssl command and arguments. The slot information of existing keys does usually need OpenSC or similar; as there is no easy syntaxtic sugar to get access for the engine (AFAIK):
set `pkcs11-tool --module /Library/OpenSC/lib/opensc-pkcs11.so --list-slots | grep Slot | grep SCM`
SLOT=$2
set `pkcs15-tool --list-keys | grep ID`
AID=$4
KID=$7
Dw.
More information about the openssl-users
mailing list