Sorry, I am an idiot =) Problem resolved, user error. -key was the problem and should not be used as I showed. -key has a different meaning for openssl ca than for openssl req, so my PIN was my -key argument. It got my keyfile from the openssl conf file. On Tue, Oct 16, 2018 at 10:23 AM Richard Levitte <levitte@xxxxxxxxxxx> wrote: > > I'm curious about this error line from the 'openssl ca' output: > > > 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters > > It should be interesting to try and figure out what pass phrased was > passed and where it came from. I'm afraid that's a debugging session. > > Cheers, > Richard > > In message <CANtcRX50e0bEwbG=U7L5bKif1StaEEny-01Bq7OfoO0xFvFC9Q@xxxxxxxxxxxxxx> on Tue, 16 Oct 2018 09:54:08 +0200, Peter Magnusson <blaufish.public.email@xxxxxxxxx> said: > > > The error can be workaround by entering PIN = "..." into [pkcs11_section]. > > pkcs11 engine version is libp11-0.4.9. > > Anyone know if this a 1) libp11 issue or 2) openssl issue or 3) me > > doing something wrong? > > On Mon, Oct 15, 2018 at 5:40 PM Peter Magnusson > > <blaufish.public.email@xxxxxxxxx> wrote: > > > > > > Hi, > > > > > > I'm trying to understand how to make "openssl ca" prompt for a PKCS#11 > > > login pin. Version is openssl-1.1.1. > > > > > > openssl req works as I would expect, prompting for PIN: > > > > > > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \ > > > local-build/bin/openssl \ > > > req -config yubihsm2-openssl.conf -new \ > > > -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out > > > certs.dir/ca.csr.pem > > > engine "pkcs11" set. > > > Enter PKCS#11 token PIN for YubiHSM: > > > > > > openssl ca I fail to get working, no prompt presented, tried adding > > > -passin stdin but that has no effect. > > > > > > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \ > > > local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform > > > engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \ > > > -config yubihsm2-openssl.conf \ > > > -days 3650 -extensions vpn_server_cert \ > > > -out server.cert.pem \ > > > -infiles ../server/certs.dir/server.csr.pem > > > engine "pkcs11" set. > > > Using configuration from yubihsm2-openssl.conf > > > Login failed > > > Login to token failed, returning NULL... > > > PKCS11_get_private_key returned NULL > > > cannot load CA private key from engine > > > 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too > > > large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters > > > 140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid > > > arguments:p11_slot.c:240: > > > 140735853761408:error:26096080:engine > > > routines:ENGINE_load_private_key:failed loading private > > > key:crypto/engine/eng_pkey.c:78: > > > unable to load CA private key > > > > > > Best Regards > > > //P > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
