|
»
« Return to Thread: Using external key with ncipher HSM
Re: Using external key with ncipher HSM
by Leonardo L. P. da Mata
::
Rate this Message:
Hey, so, I've read the documentation, but i think there are some lacks...
Just to make sure, to use the nCipher nShield, i should use the pkcs11
interface, right? I've tried to start jboss using the ncipher
interface, but it didn't wok. So i suppose that this kind of hsm must
use the pkcs11 interface.
On the screen:
https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
i can't find the option mentioned in the documentation, there's no
"create new CA 'ImportedCA'" option, and when i click in the create
button, there's no option that can be selected as impotedCA.
There are "Import CA keystore" and "import CA certificate". but when i
use the option "import CA certificate" i can import my CA certificate,
but the key is not stored in the HSM. the CA Token Type is set to Null
after the import.
We must provide more than 1 type of security solution, that's why I'm
testing booth generating keys inside HSM and generating outside and
importing then.
The next step i will try is to generate User certificates into smart
cards, but I'm already testing http://www.hardtokenmgmt.org/.
Thanks, I appreciate the help. Hope to help the company that I'm
working for to be another reference installation.
On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...> wrote:
>
> Hi Leonardo,
>
> Did you read the chapter in the User Guide at ejbca.org called
> "Importing an existing CA or sub-CA to EJBCA"? It's under the
> HSM->nCopher section. This text explains exactly how you can import
> existing keys (stored on disc) to create a CA in EJBCA.
> It also explains how you create the CA in EJBCA.
>
> We have done this and it works, no options in JBoss. Since the keys are
> imported into nCipher, it is simply just like any other CA with keys on
> the nCipher HSM. There is no difference between this CA and a CA where
> keys are generated inside the HSM (which is the recommended way for
> security reasons of-course).
>
> Regards,
> Tomas
> -----
> PrimeKey Solutions offers a commercial EJBCA support subscription and
> training for EJBCA. Please see www.primekey.se or contact
> info@... for more information.
> http://download.primekey.se/documents/ejbca_subscription.pdf
> http://download.primekey.se/documents/ejbca_training.pdf
>
>
>
>
>
> Leonardo L. P. da Mata wrote:
>> Hello,
>>
>> I'm developing the pki infrastructure for the Official Press of Minas
>> Gerais Estate ,in Brazil, and I'm having some problems on generating
>> keys outside a HSM and importing then inside the HSM.
>>
>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>> able to import the keys using generatekey --import, the keys are
>> listed using nfkminfo tool, but i don't know how to use these keys to
>> create a new CA. Is it possible to use external keys to create new
>> CAs?
>>
>> Is there any special change to use imported keys in the administration
>> GUI? Do I need to set parameters when I start JBOSS to use external
>> keys?
>>
>> Is there any other source of information different then ejbca.org?
>>
>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>
>> Thanks.
>>
>> BTW, we are planning to develop the tools as free-software.
>>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
--
Leonardo Luiz Padovani da Mata
barroca@...
"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Just to make sure, to use the nCipher nShield, i should use the pkcs11
interface, right? I've tried to start jboss using the ncipher
interface, but it didn't wok. So i suppose that this kind of hsm must
use the pkcs11 interface.
On the screen:
https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
i can't find the option mentioned in the documentation, there's no
"create new CA 'ImportedCA'" option, and when i click in the create
button, there's no option that can be selected as impotedCA.
There are "Import CA keystore" and "import CA certificate". but when i
use the option "import CA certificate" i can import my CA certificate,
but the key is not stored in the HSM. the CA Token Type is set to Null
after the import.
We must provide more than 1 type of security solution, that's why I'm
testing booth generating keys inside HSM and generating outside and
importing then.
The next step i will try is to generate User certificates into smart
cards, but I'm already testing http://www.hardtokenmgmt.org/.
Thanks, I appreciate the help. Hope to help the company that I'm
working for to be another reference installation.
On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...> wrote:
>
> Hi Leonardo,
>
> Did you read the chapter in the User Guide at ejbca.org called
> "Importing an existing CA or sub-CA to EJBCA"? It's under the
> HSM->nCopher section. This text explains exactly how you can import
> existing keys (stored on disc) to create a CA in EJBCA.
> It also explains how you create the CA in EJBCA.
>
> We have done this and it works, no options in JBoss. Since the keys are
> imported into nCipher, it is simply just like any other CA with keys on
> the nCipher HSM. There is no difference between this CA and a CA where
> keys are generated inside the HSM (which is the recommended way for
> security reasons of-course).
>
> Regards,
> Tomas
> -----
> PrimeKey Solutions offers a commercial EJBCA support subscription and
> training for EJBCA. Please see www.primekey.se or contact
> info@... for more information.
> http://download.primekey.se/documents/ejbca_subscription.pdf
> http://download.primekey.se/documents/ejbca_training.pdf
>
>
>
>
>
> Leonardo L. P. da Mata wrote:
>> Hello,
>>
>> I'm developing the pki infrastructure for the Official Press of Minas
>> Gerais Estate ,in Brazil, and I'm having some problems on generating
>> keys outside a HSM and importing then inside the HSM.
>>
>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>> able to import the keys using generatekey --import, the keys are
>> listed using nfkminfo tool, but i don't know how to use these keys to
>> create a new CA. Is it possible to use external keys to create new
>> CAs?
>>
>> Is there any special change to use imported keys in the administration
>> GUI? Do I need to set parameters when I start JBOSS to use external
>> keys?
>>
>> Is there any other source of information different then ejbca.org?
>>
>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>
>> Thanks.
>>
>> BTW, we are planning to develop the tools as free-software.
>>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
--
Leonardo Luiz Padovani da Mata
barroca@...
"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
« Return to Thread: Using external key with ncipher HSM
| Free embeddable forum powered by Nabble | Forum Help |
