[openssl-users] Storing private key on tokens
lists at rustichelli.net
Wed Oct 4 08:17:32 UTC 2017
On 09/27/2017 11:13 PM, Ken Goldman wrote:
> On 9/27/2017 2:19 PM, Dirk-Willem van Gulik wrote:
>>> On 27 Sep 2017, at 20:02, Michael Wojcik
>>> The tokens / HSMs I've used don't let you generate a key somewhere
>>> else and install it on the token. They insist on doing the key
>>> generation locally. That is, after all, part of the point of using
>>> a token - the key never leaves it.
>> I've found that the Feitian ePass2000's and the Yubico keys allow for
>> importing of the private key. They do usually want the 'extra' flags
>> to specify use:
> FWIW, the TPM hardware also permits key import. It does validate
> attributes, so users will know that the key was not generated on chip.
Most smart cards (G&D, Oberthur and InCard) I've dealt with allow for
external generation of RSA keys and import into the token.
Currently I mostly use InCard cards sold in Italy, I can't tell if the
other brands are still easily purchaseable.
More information about the openssl-users