[openssl-users] Storing private key on tokens

Dirk-Willem van Gulik dirkx at webweaving.org
Wed Sep 27 12:51:45 UTC 2017

On 27 Sep 2017, at 14:22, Dmitry Belyavsky <beldmit at gmail.com> wrote:

> What is the most natural way to generate private keys using openssl but store them on a specific hardware tokens? Reading/writing is implemented via engine mechanism.
> I suppose that it should be added support of -outform ENGINE to the genpkey command, but do not understatnd how to deal with it after that. 

The OpenSC tools integrate nicely (and the yubico toools too with a bit more fiddling).

You typically end up with constructs like:

	${OPENSSL} << EOM || exit 1
	engine dynamic -pre SO_PATH:/Library/OpenSC/lib/engines/engine_pkcs11.so \
			-pre ID:pkcs11 \
			-pre LIST_ADD:1 -pre LOAD \
			-pre MODULE_PATH:opensc-pkcs11.so \
			XXX -engine pkcs11 -key slot_$SLOT-id_$KID -keyform engine YYYYYY

where ‘XX’ and ‘YYY’ are the openssl command and arguments. The slot information of existing keys does usually need OpenSC or similar; as there is no easy syntaxtic sugar to get access for the engine (AFAIK):

	set `pkcs11-tool --module /Library/OpenSC/lib/opensc-pkcs11.so --list-slots | grep Slot | grep SCM`
	set `pkcs15-tool --list-keys | grep ID`


More information about the openssl-users mailing list