|
»
« Return to Thread: Using external key with ncipher HSM
Re: Using external key with ncipher HSM
by Leonardo L. P. da Mata
::
Rate this Message:
To illustrate how am I import the keys, I've imported again, and here
is the result:
c:\nfast\bin\generatekey --import -c mscapi pkcs11
pemreadfile=teste.pem type=RSA
recovery: Key recovery? (yes/no) [yes] >
plainname: Key name? [] > imported3
nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>
key generation parameters:
operation Operation to perform import
application Application pkcs11
protect Protected by token
slot Slot to read cards from 0
recovery Key recovery yes
verify Verify security of key yes
type Key type RSA
pemreadfile PEM file containing RSA key teste.pe
m
plainname Key name imported
3
nvram Store blob in NVRAM (will require administrator cardset) no
Loading `mscapi':
Module 1: 0 cards of 1 read
Module 1 slot 0: `mscapi' #1 (`oper')
Module 1 slot 0:- passphrase supplied - reading card
Card reading complete.
Key successfully imported.
Path to key: C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
It seems that the key is correctly imported. "This is surely possible,
but we have not done it so we can't provide you with finished commands
for importing keys for PKCS#11." . Do you think that the message
saying "Key successfully imported." is not true?
1)I will try the JCE way.
2)Since there's no difference between creating a new one, and
importing, the options are a little bit confusing. Maybe the
documentation must be more "step by step" like.. :-)
3) I notice that also.
I will check for other ways to use the HSM and keep giving feedback here.
Thanks for all the help provided..
On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
<ejbca-support@...> wrote:
>
> Hi,
>
> 1) The Howto article is created for the NFastToken way of using nCipher,
> not PKCS#11. You can use nCipher using:
> - PKCS#11
> - NFast JCE Provider
>
> Both ways work, but the howto for importing keys is done for the JCE
> provider.
> When trying to start JBoss using the JCE provider did you use
> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
> installed (it is separate packages in the nCipher install).
>
> When nfkminfo says:
> -----
>
> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
> AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
> AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
> -----
> jcecsp means the keys can only be used by the JCE-provider. nCipher does it so you have different targets depending on which API you are using. If you want to use PKCS#11 you need to import the keys in another way.
> This is surely possible, but we have not done it so we can't provide you with finished commands for importing keys for PKCS#11.
>
>
> 2) There is no option for creating an "imported CA", you simply create a
> CA as usual and provide the correct parameters as CAToken parameters.
> From EJBCAs view there is no difference between a CA with keys
> generated in the HSM or created in the HSM. From EJBCAs view the keys
> ARE simply in the HSM and are used in the HSM.
>
> Simply create a new CA using keys on the HSM. Enter a name for the new
> CA and click 'Create CA'.
>
> Which options do not exist? Perhaps the wording "When importing a
> sub-CA" is confusing? Since you don't import a CA, you simply create a
> CA as usual.
>
> 3) "Import CA certificate" is for something completely different, don't
> use that. This function simply imports a CA certificate (as you
> noticed), so you can have external CA certificates imported for various
> verification reasons.
>
> Cheers,
> Tomas
> -----
> PrimeKey Solutions offers a commercial EJBCA support subscription and
> training for EJBCA. Please see www.primekey.se or contact
> info@... for more information.
> http://download.primekey.se/documents/ejbca_subscription.pdf
> http://download.primekey.se/documents/ejbca_training.pdf
>
>
> Leonardo L. P. da Mata wrote:
>> Hey, so, I've read the documentation, but i think there are some lacks...
>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>> interface, right? I've tried to start jboss using the ncipher
>> interface, but it didn't wok. So i suppose that this kind of hsm must
>> use the pkcs11 interface.
>>
>> On the screen:
>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>
>> i can't find the option mentioned in the documentation, there's no
>> "create new CA 'ImportedCA'" option, and when i click in the create
>> button, there's no option that can be selected as impotedCA.
>>
>> There are "Import CA keystore" and "import CA certificate". but when i
>> use the option "import CA certificate" i can import my CA certificate,
>> but the key is not stored in the HSM. the CA Token Type is set to Null
>> after the import.
>>
>> We must provide more than 1 type of security solution, that's why I'm
>> testing booth generating keys inside HSM and generating outside and
>> importing then.
>>
>> The next step i will try is to generate User certificates into smart
>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>
>> Thanks, I appreciate the help. Hope to help the company that I'm
>> working for to be another reference installation.
>>
>>
>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...> wrote:
>>
>>> Hi Leonardo,
>>>
>>> Did you read the chapter in the User Guide at ejbca.org called
>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>> HSM->nCopher section. This text explains exactly how you can import
>>> existing keys (stored on disc) to create a CA in EJBCA.
>>> It also explains how you create the CA in EJBCA.
>>>
>>> We have done this and it works, no options in JBoss. Since the keys are
>>> imported into nCipher, it is simply just like any other CA with keys on
>>> the nCipher HSM. There is no difference between this CA and a CA where
>>> keys are generated inside the HSM (which is the recommended way for
>>> security reasons of-course).
>>>
>>> Regards,
>>> Tomas
>>> -----
>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>> training for EJBCA. Please see www.primekey.se or contact
>>> info@... for more information.
>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>
>>>
>>>
>>>
>>>
>>> Leonardo L. P. da Mata wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>> Gerais Estate ,in Brazil, and I'm having some problems on generating
>>>> keys outside a HSM and importing then inside the HSM.
>>>>
>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>> able to import the keys using generatekey --import, the keys are
>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>> create a new CA. Is it possible to use external keys to create new
>>>> CAs?
>>>>
>>>> Is there any special change to use imported keys in the administration
>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>> keys?
>>>>
>>>> Is there any other source of information different then ejbca.org?
>>>>
>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>
>>>> Thanks.
>>>>
>>>> BTW, we are planning to develop the tools as free-software.
>>>>
>>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejbca-develop@...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>>
>>
>>
>>
>>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
--
Leonardo Luiz Padovani da Mata
barroca@...
"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
is the result:
c:\nfast\bin\generatekey --import -c mscapi pkcs11
pemreadfile=teste.pem type=RSA
recovery: Key recovery? (yes/no) [yes] >
plainname: Key name? [] > imported3
nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>
key generation parameters:
operation Operation to perform import
application Application pkcs11
protect Protected by token
slot Slot to read cards from 0
recovery Key recovery yes
verify Verify security of key yes
type Key type RSA
pemreadfile PEM file containing RSA key teste.pe
m
plainname Key name imported
3
nvram Store blob in NVRAM (will require administrator cardset) no
Loading `mscapi':
Module 1: 0 cards of 1 read
Module 1 slot 0: `mscapi' #1 (`oper')
Module 1 slot 0:- passphrase supplied - reading card
Card reading complete.
Key successfully imported.
Path to key: C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
It seems that the key is correctly imported. "This is surely possible,
but we have not done it so we can't provide you with finished commands
for importing keys for PKCS#11." . Do you think that the message
saying "Key successfully imported." is not true?
1)I will try the JCE way.
2)Since there's no difference between creating a new one, and
importing, the options are a little bit confusing. Maybe the
documentation must be more "step by step" like.. :-)
3) I notice that also.
I will check for other ways to use the HSM and keep giving feedback here.
Thanks for all the help provided..
On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
<ejbca-support@...> wrote:
>
> Hi,
>
> 1) The Howto article is created for the NFastToken way of using nCipher,
> not PKCS#11. You can use nCipher using:
> - PKCS#11
> - NFast JCE Provider
>
> Both ways work, but the howto for importing keys is done for the JCE
> provider.
> When trying to start JBoss using the JCE provider did you use
> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
> installed (it is separate packages in the nCipher install).
>
> When nfkminfo says:
> -----
>
> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
> AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
> AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
> -----
> jcecsp means the keys can only be used by the JCE-provider. nCipher does it so you have different targets depending on which API you are using. If you want to use PKCS#11 you need to import the keys in another way.
> This is surely possible, but we have not done it so we can't provide you with finished commands for importing keys for PKCS#11.
>
>
> 2) There is no option for creating an "imported CA", you simply create a
> CA as usual and provide the correct parameters as CAToken parameters.
> From EJBCAs view there is no difference between a CA with keys
> generated in the HSM or created in the HSM. From EJBCAs view the keys
> ARE simply in the HSM and are used in the HSM.
>
> Simply create a new CA using keys on the HSM. Enter a name for the new
> CA and click 'Create CA'.
>
> Which options do not exist? Perhaps the wording "When importing a
> sub-CA" is confusing? Since you don't import a CA, you simply create a
> CA as usual.
>
> 3) "Import CA certificate" is for something completely different, don't
> use that. This function simply imports a CA certificate (as you
> noticed), so you can have external CA certificates imported for various
> verification reasons.
>
> Cheers,
> Tomas
> -----
> PrimeKey Solutions offers a commercial EJBCA support subscription and
> training for EJBCA. Please see www.primekey.se or contact
> info@... for more information.
> http://download.primekey.se/documents/ejbca_subscription.pdf
> http://download.primekey.se/documents/ejbca_training.pdf
>
>
> Leonardo L. P. da Mata wrote:
>> Hey, so, I've read the documentation, but i think there are some lacks...
>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>> interface, right? I've tried to start jboss using the ncipher
>> interface, but it didn't wok. So i suppose that this kind of hsm must
>> use the pkcs11 interface.
>>
>> On the screen:
>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>
>> i can't find the option mentioned in the documentation, there's no
>> "create new CA 'ImportedCA'" option, and when i click in the create
>> button, there's no option that can be selected as impotedCA.
>>
>> There are "Import CA keystore" and "import CA certificate". but when i
>> use the option "import CA certificate" i can import my CA certificate,
>> but the key is not stored in the HSM. the CA Token Type is set to Null
>> after the import.
>>
>> We must provide more than 1 type of security solution, that's why I'm
>> testing booth generating keys inside HSM and generating outside and
>> importing then.
>>
>> The next step i will try is to generate User certificates into smart
>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>
>> Thanks, I appreciate the help. Hope to help the company that I'm
>> working for to be another reference installation.
>>
>>
>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...> wrote:
>>
>>> Hi Leonardo,
>>>
>>> Did you read the chapter in the User Guide at ejbca.org called
>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>> HSM->nCopher section. This text explains exactly how you can import
>>> existing keys (stored on disc) to create a CA in EJBCA.
>>> It also explains how you create the CA in EJBCA.
>>>
>>> We have done this and it works, no options in JBoss. Since the keys are
>>> imported into nCipher, it is simply just like any other CA with keys on
>>> the nCipher HSM. There is no difference between this CA and a CA where
>>> keys are generated inside the HSM (which is the recommended way for
>>> security reasons of-course).
>>>
>>> Regards,
>>> Tomas
>>> -----
>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>> training for EJBCA. Please see www.primekey.se or contact
>>> info@... for more information.
>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>
>>>
>>>
>>>
>>>
>>> Leonardo L. P. da Mata wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>> Gerais Estate ,in Brazil, and I'm having some problems on generating
>>>> keys outside a HSM and importing then inside the HSM.
>>>>
>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>> able to import the keys using generatekey --import, the keys are
>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>> create a new CA. Is it possible to use external keys to create new
>>>> CAs?
>>>>
>>>> Is there any special change to use imported keys in the administration
>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>> keys?
>>>>
>>>> Is there any other source of information different then ejbca.org?
>>>>
>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>
>>>> Thanks.
>>>>
>>>> BTW, we are planning to develop the tools as free-software.
>>>>
>>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejbca-develop@...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>>
>>
>>
>>
>>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
--
Leonardo Luiz Padovani da Mata
barroca@...
"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
« Return to Thread: Using external key with ncipher HSM
| Free embeddable forum powered by Nabble | Forum Help |
