From 3185360834dc9992c141c84517bdecd3a87312a1 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Sun, 21 Aug 2016 12:17:19 -0400
Subject: Scripts demonstrating the OpenSSL engine API with Cryptech Alpha HSM.

---
 openssl.conf | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 openssl.conf

(limited to 'openssl.conf')

diff --git a/openssl.conf b/openssl.conf
new file mode 100644
index 0000000..7f156ce
--- /dev/null
+++ b/openssl.conf
@@ -0,0 +1,46 @@
+# For details on what can go here, see:
+#
+# https://github.com/OpenSC/libp11/README.md
+# https://www.nlnetlabs.nl/downloads/publications/hsm/hsm_node18.html
+
+openssl_conf = openssl_def
+
+[openssl_def]
+engines = engine_section
+
+[engine_section]
+pkcs11 = pkcs11_section
+
+[pkcs11_section]
+engine_id	= pkcs11
+dynamic_path	= /usr/lib/engines/engine_pkcs11.so
+init		= 0
+
+# For convenience while testing, we use environment variables to pass
+# in the PIN and the path to the PKCS #11 module.  You would NOT
+# want to do this in production, particularly with the PIN.
+
+MODULE_PATH	= ${ENV::PKCS11_MODULE}
+PIN		= ${ENV::PKCS11_PIN}
+
+# From here down is OpenSSL voodoo for issuing certificates.
+
+[req]
+distinguished_name      = dn
+default_md              = sha256
+x509_extensions		= ext_ca
+
+[dn]
+C                       = PV
+O                       = Pottsylvanian Ministry of Offense
+
+[ext_ca]
+basicConstraints        = critical, CA:true
+keyUsage                = critical, cRLSign, keyCertSign
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+
+[ext_ee]
+keyUsage                = critical, digitalSignature, nonRepudiation
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
-- 
cgit v1.2.3