Menu
▾
▴
Re: [Ejbca-develop] Issue with key escrow and Luna HSM
|
From: Tomas G. <to...@pr...> - 2013-07-29 15:55:33
|
On 07/29/2013 03:13 PM, Bruno Bonfils wrote: > On Mon 29 July, Tomas Gustavsson wrote: >> >> Hi Bruno, >> > > Hi Tomas, > > thanks for you feedback. > >> >> It is so that it tries to use PKCS#11 for the symmetric encryption as >> well, not only for asymmetric. So flags on your keys do not matter. >> Unfortunately symmetric ciphers on HSMs is a nightmare, where you have >> to code specifically for each HSM. So this might work with another HSM, >> but not the Luna. The solution was to use BC (soft) for the symmetric >> session keys and asymmetric (HSM) for session key wrapping. >> >> This requires a later version of BC than present in EJBCA 4, something >> that is a big task. So backporting the fix to EJBCA 4 is unfortunately >> not an option at this point. >> >> You best options currently might currently be: >> - Move to Enterprise Edition (CC certified EJBCA 5) >> - Use soft CA keys >> - Wait for EJBCA 6 (sometimes during autumn) > > It is possible to use a soft key only for key ciphering? Unfortunately you can not mix HSM keys with Soft keys in a CA :-( Cheers, Tomas |
