Re: Using external key with ncipher HSM

> Hey, so, I've read the documentation, but i think there are some lacks...
> Just to make sure, to use the nCipher nShield, i should use the pkcs11
> interface, right? I've tried to start jboss using the ncipher
> interface, but it didn't wok. So i suppose that this kind of hsm must
> use the pkcs11 interface.
>
> On the screen:
> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>
> i can't find the option mentioned in the documentation, there's no
> "create new CA 'ImportedCA'" option, and when i click in the create
> button, there's no option that can be selected as impotedCA.
>
> There are "Import CA keystore" and "import CA certificate". but when i
> use the option "import CA certificate" i can import my CA certificate,
> but the key is not stored in the HSM. the CA Token Type is set to Null
> after the import.
>
> We must provide more than 1 type of security solution, that's why I'm
> testing booth generating keys inside HSM and generating outside and
> importing then.
>
> The next step i will try is to generate User certificates into smart
> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>
> Thanks, I appreciate the help. Hope to help the company that I'm
> working for to be another reference installation.
>
>
> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...> wrote:
>  
>> Hi Leonardo,
>>
>> Did you read the chapter in the User Guide at ejbca.org called
>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>> HSM->nCopher section. This text explains exactly how you can import
>> existing keys (stored on disc) to create a CA in EJBCA.
>> It also explains how you create the CA in EJBCA.
>>
>> We have done this and it works, no options in JBoss. Since the keys are
>> imported into nCipher, it is simply just like any other CA with keys on
>> the nCipher HSM. There is no difference between this CA and a CA where
>> keys are generated inside the HSM (which is the recommended way for
>> security reasons of-course).
>>
>> Regards,
>> Tomas
>> -----
>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>> training for EJBCA. Please see www.primekey.se or contact
>> info@... for more information.
>> http://download.primekey.se/documents/ejbca_subscription.pdf
>> http://download.primekey.se/documents/ejbca_training.pdf
>>
>>
>>
>>
>>
>> Leonardo L. P. da Mata wrote:
>>    
>>> Hello,
>>>
>>> I'm developing the pki infrastructure for the Official Press of Minas
>>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>>> keys outside a HSM and importing then inside the HSM.
>>>
>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>> able to import the keys using generatekey --import, the keys are
>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>> create a new CA. Is it possible to use external keys to create new
>>> CAs?
>>>
>>> Is there any special change to use imported keys in the administration
>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>> keys?
>>>
>>> Is there any other source of information different then ejbca.org?
>>>
>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>
>>> Thanks.
>>>
>>> BTW, we are planning to develop the tools as free-software.
>>>
>>>      
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejbca-develop@...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>>    
>
>
>
>