On 06/17/13 16:54 +0200, Stefan Scheidewig wrote:
It seems that this special configuration is not possible. Trying to set the key will always result in
TLS: could not use key file `xyz'. TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:398 TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:400 TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib ssl_rsa.c:648
The ldap code has to be adjusted to use a key or certificate from a configured pkcs#11 keystore.
Is there another way to accomplish that?
You might give GnuTLS a try, since you can specify the engine in the private key string:
p11tool --login --list-all
private key format (tls_key=) example: pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=00050000xxxxxxxx;token=OpenPGP%20Card%20%28Signature%20PIN%29;id=%01;object=Signature%20key;object-type=private
If your HSM requires a PIN, you may have to hard code it within that string.