I'm curious about this error line from the 'openssl ca' output: > 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters It should be interesting to try and figure out what pass phrased was passed and where it came from. I'm afraid that's a debugging session. Cheers, Richard In message <CANtcRX50e0bEwbG=U7L5bKif1StaEEny-01Bq7OfoO0xFvFC9Q@xxxxxxxxxxxxxx> on Tue, 16 Oct 2018 09:54:08 +0200, Peter Magnusson <blaufish.public.email@xxxxxxxxx> said: > The error can be workaround by entering PIN = "..." into [pkcs11_section]. > pkcs11 engine version is libp11-0.4.9. > Anyone know if this a 1) libp11 issue or 2) openssl issue or 3) me > doing something wrong? > On Mon, Oct 15, 2018 at 5:40 PM Peter Magnusson > <blaufish.public.email@xxxxxxxxx> wrote: > > > > Hi, > > > > I'm trying to understand how to make "openssl ca" prompt for a PKCS#11 > > login pin. Version is openssl-1.1.1. > > > > openssl req works as I would expect, prompting for PIN: > > > > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \ > > local-build/bin/openssl \ > > req -config yubihsm2-openssl.conf -new \ > > -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out > > certs.dir/ca.csr.pem > > engine "pkcs11" set. > > Enter PKCS#11 token PIN for YubiHSM: > > > > openssl ca I fail to get working, no prompt presented, tried adding > > -passin stdin but that has no effect. > > > > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \ > > local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform > > engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \ > > -config yubihsm2-openssl.conf \ > > -days 3650 -extensions vpn_server_cert \ > > -out server.cert.pem \ > > -infiles ../server/certs.dir/server.csr.pem > > engine "pkcs11" set. > > Using configuration from yubihsm2-openssl.conf > > Login failed > > Login to token failed, returning NULL... > > PKCS11_get_private_key returned NULL > > cannot load CA private key from engine > > 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too > > large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters > > 140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid > > arguments:p11_slot.c:240: > > 140735853761408:error:26096080:engine > > routines:ENGINE_load_private_key:failed loading private > > key:crypto/engine/eng_pkey.c:78: > > unable to load CA private key > > > > Best Regards > > //P > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
