[openssl-users] Storing private key on tokens

Ken Goldman kgoldman at us.ibm.com
Wed Sep 27 21:13:10 UTC 2017

On 9/27/2017 2:19 PM, Dirk-Willem van Gulik wrote:
>> On 27 Sep 2017, at 20:02, Michael Wojcik
>> The tokens / HSMs I've used don't let you generate a key somewhere
>> else and install it on the token. They insist on doing the key
>> generation locally. That is, after all, part of the point of using
>> a token - the key never leaves it.
> I've found that the Feitian ePass2000's and the Yubico keys allow for
> importing of the private key. They do usually want the 'extra' flags
> to specify use:

FWIW, the TPM hardware also permits key import.  It does validate 
attributes, so users will know that the key was not generated on chip.

More information about the openssl-users mailing list