[openssl-users] Getting certificates from smartcards

Anirudh Raghunath anirudhraghunath at rocketmail.com
Tue Jul 21 13:58:21 UTC 2015


Ah okay, that clears up quite a lot of doubts. But the certificate I want to load is a self signed certificate which has a private key attached to it. I used the XCA application to export the certificate-private key pair as a p12 file to the smart card. What should I do to get the certificate in this case? Thanks.

 


     On Tuesday, 21 July 2015 2:40 PM, Dr. Stephen Henson <steve at openssl.org> wrote:
   

 On Tue, Jul 21, 2015, Victor Wagner wrote:

> On Tue, 21 Jul 2015 06:58:24 +0000 (UTC)
> Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote:
> 
> As far as I can understand, this function is designed to be called from
> the client certificate callback, set with function
> SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure
> (which should be passed to ENGINE_load_ssl_client_cert) and can use
> SSL_get_client_CA_list to obtain list of CAs, which server would trust.
> (SSL protocol allows to send this list to client).
> 

It's intended to be called automatically when SSL_CTX_set_client_cert_engine
sets up a "client authentication ENGINE".

> So, you would pass to the ENGINE_load_ssl_client_certs
> 
> 1. reference to engine to use
> 2. pointer to SSL object of your client connection (don't know why it
> might be needed), 

This is there so the ENGINE can query other properties of the connection which
might decide which chain to use. For example the supported signature
algorithms.

> 
> Unfortunately, I do not know any engine which does all the things above.
> I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found
> out that it doesn't support this function.
> 

The CrytpoAPI ENGINE performs some of these tasks but so far it is the only
one I'm aware of.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150721/7de2fae9/attachment.html>


More information about the openssl-users mailing list