I mixed up the config and log, here is the one i am using: ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL key: "object=SubCA" engine:
PKCS11 engine_section: | engine_id = pkcs11
#dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#MODULE_PATH = /usr/local/primus/lib/libprimusP11.so PIN
= __PIN__ init = 0 engine_usage: 'ALWAYS'
key_store: ENGINE shell: /usr/bin/openssl randfile: /var/openxpki/rand
wrapper: '' secret: signer
secret: signer: label: CloudHSM PIN method: literal
value: 12345678 cache: daemon
Log:
2024/09/12 16:15:49 ERROR OpenSSL error: Engine "pkcs11" set.Failed to
enumerate slotsPKCS11_get_private_key returned NULLCould not read signing key
from org.openssl.engine:pkcs11:SubCA40E79752EB7F0000:error:40000067:pkcs11
engine:ERR_ENG_error:invalid
parameter:eng_back.c:603:40E79752EB7F0000:error:13000080:engine
routines:ENGINE_load_private_key:failed loading private
key:../crypto/engine/eng_pkey.c:79:
[pid=2159|sid=/SrP|rid=556660a02a38]2024/09/12 16:15:49 ERROR
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in
/var/tmp/openxpki2159mRTrxqWV -inkey SubCA -signer
/var/tmp/openxpki2159vLzL8HQq -out /var/tmp/openxpki2159LlhHmcDS -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=2159|sid=/SrP|rid=556660a02a38]2024/09/12
16:15:49 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in
/var/tmp/openxpki2159mRTrxqWV -inkey SubCA -signer
/var/tmp/openxpki2159vLzL8HQq -out /var/tmp/openxpki2159LlhHmcDS -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=2159|sid=/SrP|rid=556660a02a38]
Cheers,
On Thursday 12 September 2024 at 03:58:10 pm GMT+5, Martin Bartosch
<[email protected]> wrote:
Scott,
> Am 12.09.2024 um 11:49 schrieb Scott Thomas via OpenXPKI-users
> <[email protected]>:
>
> I am using this config:
>
> ca-signer:
> backend: OpenXPKI::Crypto::Backend::OpenSSL
> key: "label_SubCA"
> engine: PKCS11
> engine_section: |
> engine_id = pkcs11
> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
> MODULE_PATH = /usr/local/cloud/lib/libcloudP11.so
> #PIN = __PIN__
> init = 0
> engine_usage: 'ALWAYS'
> key_store: ENGINE
> shell: /usr/bin/openssl
> randfile: /var/openxpki/rand
> wrapper: ''
> secret: signer
Your configuration does not match the error message, so you have obviously
edited one of them. And your sample command line's key specification does not
match your OpenXPKI configuration, so why do you expect that it works in
OpenXPKI?
Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
