On 09/27/2017 11:13 PM, Ken Goldman wrote:
On 9/27/2017 2:19 PM, Dirk-Willem van Gulik wrote:
On 27 Sep 2017, at 20:02, Michael Wojcik
The tokens / HSMs I've used don't let you generate a key somewhere
else and install it on the token. They insist on doing the key
generation locally. That is, after all, part of the point of using
a token - the key never leaves it.
I've found that the Feitian ePass2000's and the Yubico keys allow for
importing of the private key. They do usually want the 'extra' flags
to specify use:
FWIW, the TPM hardware also permits key import. It does validate
attributes, so users will know that the key was not generated on chip.
Most smart cards (G&D, Oberthur and InCard) I've dealt with allow for
external generation of RSA keys and import into the token.
Currently I mostly use InCard cards sold in Italy, I can't tell if the
other brands are still easily purchaseable.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
