On Sun, Jun 02, 2019 at 05:49:10PM -0700, Erik Madsen wrote: > I am using a Hardware Security Module. Both s_client and cURL work fine > due to we can use the CLI "-keyform ENG" for s_client and "--key-type > ENG" for curl > > Is it possible to specify this in the openssl.cnf file instead of the CLI? You could be a bit more explicit about whether this a TLS or some other application. Configuration is "module"-specific. > For testing this, the following works: > > openssl s_client -connect host:port -engine engineSO -keyform ENG -cert > /path/to/signed/cert > > > If we can do like this: > > OPENSSL_CONF=openssl.cnf openssl s_client -connect host:port -engine > engineSO -cert /path/to/signed/cert (removed the -keyform) > > I think will work fine I don't believe that the SSL "conf module" presently supports a "command" that allows you specify the "keyform" of a private key file. It has a "PrivateKey" "command", but this appears to be unconditionally limited to PEM. If anyone else knows otherwise, corrections welcome -- Viktor.
