Shoot, I need that functionality. Can I perhaps use the?X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) function then? If yes, then can someone elaborate on how to use this function? Thanks On Tuesday, 21 July 2015 8:19 PM, Victor Wagner <vitus at wagner.pp.ru> wrote: On Tue, 21 Jul 2015 13:58:21 +0000 (UTC) Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote: > Ah okay, that clears up quite a lot of doubts. But the certificate I > want to load is a self signed certificate which has a private key > attached to it. I used the XCA application to export the > certificate-private key pair as a p12 file to the smart card. What > should I do to get the certificate in this case? Thanks. > It doesn't matter how you've installed certificate into smart card. Once it, and its corresponding private key is installed on the card, you can access them separately, using PKCS#11 API (and command-line pkcs11-tool utility). So, you can extract just certificate from certificate-private key pair and put it into the file (but typically you cannot extract private key. You can only use PKCS11 API or OpenSSL ENGINE API on top of it to perform cryptographic operations with this private key. This is what smartcards are for). If you have opensc pkcs11 engine, you also should have pkcs11-tool from opensc project. Use pkcs11-tool --module <your pkcs11 module> --list-objects to find out which certificate-private key pairs are available on your card (you probably already know ID of your key pair, because you've used ENGINE_load_private_key, and it requires key id as argument). Then use pkcs11-tool --module <your pkcs11 module> --write-object <id> --type cert --output-file filename.der to extract certificate from card.? You can then convert it to pem format using openssl x509 -in filename.der -inform DER -out filename.pem or can just use function SSL_CTX_use_certificate_file passing SSL_FILETYPE_ASN1 as its argument. Personally I consider it ugly that one need to extract certificate from token before it can be used in openssl-based applications for any purpose except SSL-client authentication. Function int ENGINE_load_certificate(ENGINE *e, const char *key id, ? ? UI_METHOD *ui_method, void *callback_data) is clearly missing from API. Existence of such function would allow to use smartcards and other hardware tokens to be used 1. In the server applications 2. In the non-SSL (i.e. CMS signing) applications 3. For secondary protocols like OCSP or timestamping authority. _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150721/e30a0cd0/attachment.html>