nmav pushed to caml-crush (master). "updated text"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri Mar 27 12:48:58 UTC 2015
>From c2dd69b0f2407277e92d2943004b9002e3838660 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Fri, 27 Mar 2015 13:42:49 +0100
Subject: updated text
diff --git a/README.fedora b/README.fedora
index 969445f..3a2aa9e 100644
--- a/README.fedora
+++ b/README.fedora
@@ -3,7 +3,7 @@ Deploy a software isolated HSM in Fedora
========================================
The caml-crush package includes a software isolated softhsm, which
-is available as a PKCS #11 module. That is accesible via /usr/lib64/pkcs11/libsofthsm2.so
+is available as a PKCS #11 module. That is accesible via /usr/lib64/pkcs11/libp11clientsofthsm.so
module or for applications which support PKCS #11 URLs, via the URL
"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken".
@@ -19,6 +19,10 @@ to access the isolated softhsm.
# gpasswd -a user pkcs11proxy
# su user
+========================
+Initialize using p11tool
+========================
+
If you already have a key/certificate pair you can copy them to the HSM
$ sudo cat /etc/pkcs11proxyd/pins.txt
$ p11tool --write --load-privkey key.pem --label server-key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
@@ -28,11 +32,24 @@ Or you can generate the key inside the module:
$ p11tool --generate-rsa "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login --outfile pubkey.pem --label server-key
$ certtool --generate-request --load-pubkey pubkey.pem --load-privkey "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-key;type=private" --outfile request.pem
-
You can now list them. You should have 2 objects, the private key, and the certificate.
$ p11tool --login --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken"
+
+============================
+Initialize using pkcs11-tool
+============================
+
+To write a private key and certificate (must be provided in DER format):
+$ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y privkey -w ./key-rsa.der -l --label server-key --usage-sign --usage-decrypt
+$ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y cert -w ./cert-rsa.der -l --label server-cert
+
+
+==============
+Test operation
+==============
+
To test the key pair operation:
$ gnutls-serv --echo --x509keyfile "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-key;type=private" \
--x509certfile "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-cert;type=cert"
@@ -40,4 +57,3 @@ $ gnutls-serv --echo --x509keyfile "pkcs11:model=SoftHSM%20v2;manufacturer=SoftH
$ gnutls-cli localhost -p 5556 --insecure
If the connection succeeded you can use the HSM, using the URLs above
-
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/caml-crush.git/commit/?h=master&id=c2dd69b0f2407277e92d2943004b9002e3838660
More information about the scm-commits
mailing list