[openssl-users] Getting certificates from smartcards
Anirudh Raghunath
anirudhraghunath at rocketmail.com
Tue Jul 21 13:58:21 UTC 2015
Ah okay, that clears up quite a lot of doubts. But the certificate I want to load is a self signed certificate which has a private key attached to it. I used the XCA application to export the certificate-private key pair as a p12 file to the smart card. What should I do to get the certificate in this case? Thanks.
On Tuesday, 21 July 2015 2:40 PM, Dr. Stephen Henson <steve at openssl.org> wrote:
On Tue, Jul 21, 2015, Victor Wagner wrote:
> On Tue, 21 Jul 2015 06:58:24 +0000 (UTC)
> Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote:
>
> As far as I can understand, this function is designed to be called from
> the client certificate callback, set with function
> SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure
> (which should be passed to ENGINE_load_ssl_client_cert) and can use
> SSL_get_client_CA_list to obtain list of CAs, which server would trust.
> (SSL protocol allows to send this list to client).
>
It's intended to be called automatically when SSL_CTX_set_client_cert_engine
sets up a "client authentication ENGINE".
> So, you would pass to the ENGINE_load_ssl_client_certs
>
> 1. reference to engine to use
> 2. pointer to SSL object of your client connection (don't know why it
> might be needed),
This is there so the ENGINE can query other properties of the connection which
might decide which chain to use. For example the supported signature
algorithms.
>
> Unfortunately, I do not know any engine which does all the things above.
> I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found
> out that it doesn't support this function.
>
The CrytpoAPI ENGINE performs some of these tasks but so far it is the only
one I'm aware of.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150721/7de2fae9/attachment.html>
More information about the openssl-users
mailing list