> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf > Of Blumenthal, Uri - 0553 - MITLL > Sent: Friday, July 07, 2017 10:03 > To: openssl-users@xxxxxxxxxxx > Subject: Re: OpenSSL Engine for TPM > > And in most cases (except those involving TPM-based platform attestation, > which I don’t think has anything to do with OpenSSL use cases), a separate > hardware token (like a smartcard, or an HSM) would IMHO be a much better > and more usable choice. PKCS#11 engine (libp11) to access those is quite > popular and work well. Agreed. I've had good results with OpenSC-based devices such as the NitroKey HSM using the OpenSSL PKCS#11 engine. Requires installing the various prereqs and a bit of setup and experimentation, but it all works. On Windows, the CAPI engine can also generally be used to drive HSMs, if they don't have a suitable PKCS#11 driver. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
