The error can be workaround by entering PIN = "..." into [pkcs11_section]. pkcs11 engine version is libp11-0.4.9. Anyone know if this a 1) libp11 issue or 2) openssl issue or 3) me doing something wrong? On Mon, Oct 15, 2018 at 5:40 PM Peter Magnusson <blaufish.public.email@xxxxxxxxx> wrote: > > Hi, > > I'm trying to understand how to make "openssl ca" prompt for a PKCS#11 > login pin. Version is openssl-1.1.1. > > openssl req works as I would expect, prompting for PIN: > > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \ > local-build/bin/openssl \ > req -config yubihsm2-openssl.conf -new \ > -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out > certs.dir/ca.csr.pem > engine "pkcs11" set. > Enter PKCS#11 token PIN for YubiHSM: > > openssl ca I fail to get working, no prompt presented, tried adding > -passin stdin but that has no effect. > > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \ > local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform > engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \ > -config yubihsm2-openssl.conf \ > -days 3650 -extensions vpn_server_cert \ > -out server.cert.pem \ > -infiles ../server/certs.dir/server.csr.pem > engine "pkcs11" set. > Using configuration from yubihsm2-openssl.conf > Login failed > Login to token failed, returning NULL... > PKCS11_get_private_key returned NULL > cannot load CA private key from engine > 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too > large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters > 140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid > arguments:p11_slot.c:240: > 140735853761408:error:26096080:engine > routines:ENGINE_load_private_key:failed loading private > key:crypto/engine/eng_pkey.c:78: > unable to load CA private key > > Best Regards > //P -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
