[openssl-users] openssl ca pkcs11 UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

Peter Magnusson blaufish.public.email at gmail.com
Mon Oct 15 15:40:10 UTC 2018


I'm trying to understand how to make "openssl ca" prompt for a PKCS#11
login pin. Version is openssl-1.1.1.

openssl req works as I would expect, prompting for PIN:

YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
local-build/bin/openssl \
 req -config yubihsm2-openssl.conf -new \
 -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out
engine "pkcs11" set.
Enter PKCS#11 token PIN for YubiHSM:

openssl ca I fail to get working, no prompt presented, tried adding
-passin stdin but that has no effect.

YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
 local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform
engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \
 -config yubihsm2-openssl.conf \
 -days 3650 -extensions vpn_server_cert \
 -out server.cert.pem \
 -infiles ../server/certs.dir/server.csr.pem
engine "pkcs11" set.
Using configuration from yubihsm2-openssl.conf
Login failed
Login to token failed, returning NULL...
PKCS11_get_private_key returned NULL
cannot load CA private key from engine
140735853761408:error:28078064:UI routines:UI_set_result_ex:result too
large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters
140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid
routines:ENGINE_load_private_key:failed loading private
unable to load CA private key

Best Regards

More information about the openssl-users mailing list