Hi, I'm trying to understand how to make "openssl ca" prompt for a PKCS#11 login pin. Version is openssl-1.1.1. openssl req works as I would expect, prompting for PIN: YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \ local-build/bin/openssl \ req -config yubihsm2-openssl.conf -new \ -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out certs.dir/ca.csr.pem engine "pkcs11" set. Enter PKCS#11 token PIN for YubiHSM: openssl ca I fail to get working, no prompt presented, tried adding -passin stdin but that has no effect. YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \ local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \ -config yubihsm2-openssl.conf \ -days 3650 -extensions vpn_server_cert \ -out server.cert.pem \ -infiles ../server/certs.dir/server.csr.pem engine "pkcs11" set. Using configuration from yubihsm2-openssl.conf Login failed Login to token failed, returning NULL... PKCS11_get_private_key returned NULL cannot load CA private key from engine 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters 140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid arguments:p11_slot.c:240: 140735853761408:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78: unable to load CA private key Best Regards //P -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
