<div dir="ltr"><div>You cannot keep the certificate from OpenSSL, as that's the piece that you share with the remote side. This contains the public key, and the information bound to that public key by the CA.<br><br>However, you can keep the private key from being seen by OpenSSL. There exists what is called an ENGINE interface to offload cryptographic operations to a container. Right now, <a href="https://wiki.openssl.org/index.php/Creating_an_OpenSSL_Engine_to_use_indigenous_ECDH_ECDSA_and_HASH_Algorithms">https://wiki.openssl.org/index.php/Creating_an_OpenSSL_Engine_to_use_indigenous_ECDH_ECDSA_and_HASH_Algorithms</a> seems to be the best documentation available to explain the process of creating it. Obviously, depending on the type of key you're using, you will probably need to figure out the differences.<br><br></div><div>-Kyle H<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 19, 2016 at 3:22 AM, Andy Green <span dir="ltr"><<a href="mailto:andy@warmcat.com" target="_blank">andy@warmcat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi -<br>
<br>
I have a situation coming up that is similar to a client cert being<br>
held on a secure key store, like a key vault.<br>
<br>
We need to be able to perform TLS communication with a remote server<br>
using the key, but without giving the key to OpenSSL.<br>
<br>
The "other side" of the "key vault" is smart, and we can run code<br>
there, and communicate with it. So we need to basically proxy OpenSSL<br>
operations on the "other side".<br>
<br>
I guess this is nothing new under the sun... what's the general<br>
approach to integrating this to OpenSSL?<br>
<br>
Thanks for any advice.<br>
<span class="HOEnZb"><font color="#888888"><br>
-Andy<br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</font></span></blockquote></div><br></div>