From: Tomas G. <to...@pr...> - 2009-02-22 16:36:21
|
Hi Leonardo, The certificate is needed because this is how Javas keystore mmodel works. There are nCipher commands to associate a certificate with a key. ckcerttool is the command. We've used this when converting keys from RSA Keon CA to EJBCA. It looks something like this: ----- C:\nfast\bin>ckcerttool.exe -c oper -f c:\ca\kca.pem -k uc3126f2b3cf7d9d53e3ba278a081ef471644298f8-628484d430c6c0502fdb1a520fb84b9dc73c8372 -L kcaSign Certificate found, processing... Please enter the passphrase for "oper" token (No echo set). Passphrase: Certificate successfully imported. Run cklist to view your certificate object. OK ----- We have imported keys from OpenSSL CAs to nCipher as well. See the User Guide at ejbca.org, "Importing an existing CA or sub-CA to EJBCA". Cheers, Tomas ----- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact in...@pr... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf Lars Silvén wrote: > Leonardo, > > There are no secure ways of generating the key externally and then > import it to the HSM. For you it might be secure if you make sure that > the original key is deleted after it has been stored on the HSM. But > consider everyone else in the world that have not been with you when the > key was generated transferred to the HSM and then deleted on the > original medium. They will never know if you have made copies of your > key. > > If you still want to do it I will comment the your alternatives: > 1. could not be done. This requires an old cert on the HSM for the key. > This old cert (some guy) will will be replaced. > 2. might be possible depending on the p11 implementation. > 3. you got a problem to get key from the java keystore (created by the > sun p11 wrapper). The wrapper requires that you got a key associated > with it > > Easiest way ought to be if your HSM has some tool to import a > certificate for a key. > > Cheers, > Lars > > On fre, 2009-02-20 at 16:44 -0300, Leonardo L. P. da Mata wrote: >> Hello, >> >> Why does generated keys with pkcs11 interface needs a certificate? >> >> I'm trying to use the pkcs11 interface to import keys into the ncipher >> HSM for use with ejbca, since i have a secure way to create a key >> externally. I was perfectly abble to import keys into the hsm and see >> those keys using the pkcs11 interface, but those keys are not >> available when i use EJBCA. What happens is that EJBCA keys needs an >> certificate. >> >> In KeyStoreContainerBase.java, the generate method creates a keypair: >> final KeyPair keyPair = kpg.generateKeyPair(); >> and then a certificate with this keypair: >> chain[0] = getSelfCertificate("CN=some guy, L=around, C=US", >> (long)30*24*60*60*365, sigAlgName, keyPair); >> >> I don't know exactly what to do to use an external KeyPair from a file >> and then generate the certificate. >> >> I'm thinkking about 3 possible sollutions: >> 1-import the key into the HSM, generate a certificate signed with this >> key and than import this certificate to HSM using PKCS11HSMKeyTool >> importcert >> 2-create PKCS11HSMKeyTool importkey to get a keypair from a file, >> import this key to the hsm and than import the certificate to hsm. >> 3-create PKCS11HSMKeyTool generatecert to read an imported keypair >> from the hsm, and use this keypair to generate the certificate. >> >> How hard is to implement one of these solutions? >> >> Besides security issues, what's the problem to use imported keys with >> ejbca,since PKCS11HSMKeyTool doen't have an import key tool >> implemented ? >> >> > |