Hardware key storage

Hi,
I am sorry if this question has been asked before in this group. I wanted to
find out what would be required to use private keys stored in hardware with
apache and modssl ? Modssl code looks for private key file in the host
machine and calls use_private_key() sort of function of openssl to store
private key in ssl context. Is it possible to use modssl with apache when
keys are created in tamper proof hardware and never leaves that? Is there
any patch to do that?

Thanks for any advice.
Imran.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Hardware key storage

Le Wed, 5 Jun 2002 19:18:26 -0700
"Imran Badr" a ecrit:

> Hi,
> I am sorry if this question has been asked before in this group. I wanted to
> find out what would be required to use private keys stored in hardware with
> apache and modssl ? Modssl code looks for private key file in the host
> machine and calls use_private_key() sort of function of openssl to store
> private key in ssl context. Is it possible to use modssl with apache when
> keys are created in tamper proof hardware and never leaves that? Is there
> any patch to do that?

mod_ssl relies on OpenSSL and OpenSSL-engine handles access for some
cryto cards.

F.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Hardware key storage

Engine support inlcudes offloading RSA/DSA operations but I haven't found
any way to notify moddssl that the key is in hardware key storage. Modssl
always looks for disk files for private key and certificate files and I
haven't figured out how to use hardware key storage. Apache will never start
if those files are not in disk.

Thanks for the reply.
Imran.



-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org]On Behalf Of Francois Desarmenien
Sent: Saturday, June 08, 2002 5:56 AM
To: modssl-users@modssl.org
Subject: Re: Hardware key storage


Le Wed, 5 Jun 2002 19:18:26 -0700
"Imran Badr" a ecrit:

> Hi,
> I am sorry if this question has been asked before in this group. I wanted
to
> find out what would be required to use private keys stored in hardware
with
> apache and modssl ? Modssl code looks for private key file in the host
> machine and calls use_private_key() sort of function of openssl to store
> private key in ssl context. Is it possible to use modssl with apache when
> keys are created in tamper proof hardware and never leaves that? Is there
> any patch to do that?

mod_ssl relies on OpenSSL and OpenSSL-engine handles access for some
cryto cards.

F.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Hardware key storage

Whether this can be done is something you should talk to the vendor of
your HSM about. If you're still looking for one to buy, I can confirm
that it can be done with nCipher's gear using openssl-engine and some
extra binaries they provide, I personally have experience with Solaris
and using an HSM protected key. They trick mod_ssl into running with a
dummy key, and then openssl engine offloads the key transforms via their
CHIL api.

At http://www.ncipher.com/resources/index.html you will find their
whitepapers on the subject.

I work for an nCipher Solutions partner, so my view here is obviously
biased, there are other HSM vendors apparently.

-PeterV.

Imran Badr wrote:

>Engine support inlcudes offloading RSA/DSA operations but I haven't found
>any way to notify moddssl that the key is in hardware key storage. Modssl
>always looks for disk files for private key and certificate files and I
>haven't figured out how to use hardware key storage. Apache will never start
>if those files are not in disk.
>
>Thanks for the reply.
>Imran.
>
>
>
>-----Original Message-----
>From: owner-modssl-users@modssl.org
>[mailto:owner-modssl-users@modssl.org]On Behalf Of Francois Desarmenien
>Sent: Saturday, June 08, 2002 5:56 AM
>To: modssl-users@modssl.org
>Subject: Re: Hardware key storage
>
>
>Le Wed, 5 Jun 2002 19:18:26 -0700
>"Imran Badr" a ecrit:
>
>
>
>>Hi,
>>I am sorry if this question has been asked before in this group. I wanted
>>
>>
>to
>
>
>>find out what would be required to use private keys stored in hardware
>>
>>
>with
>
>
>>apache and modssl ? Modssl code looks for private key file in the host
>>machine and calls use_private_key() sort of function of openssl to store
>>private key in ssl context. Is it possible to use modssl with apache when
>>keys are created in tamper proof hardware and never leaves that? Is there
>>any patch to do that?
>>
>>
>
>mod_ssl relies on OpenSSL and OpenSSL-engine handles access for some
>cryto cards.
>
>F.
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org