> On 27 Sep 2017, at 20:02, Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote: > >> What is the most natural way to generate private keys using openssl but store them on a specific hardware tokens? >> Reading/writing is implemented via engine mechanism. > > The tokens / HSMs I've used don't let you generate a key somewhere else and install it on the token. They insist on doing the key generation locally. That is, after all, part of the point of using a token - the key never leaves it. I've found that the Feitian ePass2000's and the Yubico keys allow for importing of the private key. They do usually want the 'extra' flags to specify use: pkcs15-init --store-private-key .ssh/id_rsa-foo --auth-id 01 --key-usage sign,decrypt --label "ssh key of me@xxxxxxxxxxxx" and some fail silently when you do not provide these. Dw. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
