[openssl-users] Storing private key on tokens
Dirk-Willem van Gulik
dirkx at webweaving.org
Wed Sep 27 18:19:05 UTC 2017
> On 27 Sep 2017, at 20:02, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:
>> What is the most natural way to generate private keys using openssl but store them on a specific hardware tokens?
>> Reading/writing is implemented via engine mechanism.
> The tokens / HSMs I've used don't let you generate a key somewhere else and install it on the token. They insist on doing the key generation locally. That is, after all, part of the point of using a token - the key never leaves it.
I've found that the Feitian ePass2000's and the Yubico keys allow for importing of the private key. They do usually want the 'extra' flags to specify use:
pkcs15-init --store-private-key .ssh/id_rsa-foo --auth-id 01 --key-usage sign,decrypt --label "ssh key of me at mydomain.com"
and some fail silently when you do not provide these.
More information about the openssl-users