Re: Storing private key on tokens

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On 27 Sep 2017, at 20:02, Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote:
> 
>> What is the most natural way to generate private keys using openssl but store them on a specific hardware tokens? 
>> Reading/writing is implemented via engine mechanism.
> 
> The tokens / HSMs I've used don't let you generate a key somewhere else and install it on the token. They insist on doing the key generation locally. That is, after all, part of the point of using a token - the key never leaves it.

I've found that the Feitian ePass2000's and the Yubico keys allow for importing of the private key. They do usually want the 'extra' flags to specify use:

	pkcs15-init --store-private-key .ssh/id_rsa-foo --auth-id 01 --key-usage sign,decrypt --label "ssh key of me@xxxxxxxxxxxx"

and some fail silently when you do not provide these.

Dw.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux