diff options
author | Doug Barton <dougb@FreeBSD.org> | 2009-05-31 00:11:36 +0000 |
---|---|---|
committer | Doug Barton <dougb@FreeBSD.org> | 2009-05-31 00:11:36 +0000 |
commit | b0e69f719c1db2c19fcfba96f0dac9a5a2277350 (patch) | |
tree | 72d567a9bc3fb8adcfcbaa9baedc122d53071209 /README.pkcs11 | |
parent | fe9c1406ede29d1f2b9969c75785beef87a4bf87 (diff) | |
download | src-b0e69f719c1db2c19fcfba96f0dac9a5a2277350.tar.gz src-b0e69f719c1db2c19fcfba96f0dac9a5a2277350.zip |
Vendor import of BIND 9.6.1rc1
Notes
Notes:
svn path=/vendor/bind9/dist/; revision=193141
Diffstat (limited to 'README.pkcs11')
-rw-r--r-- | README.pkcs11 | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/README.pkcs11 b/README.pkcs11 new file mode 100644 index 000000000000..b58640de1c5a --- /dev/null +++ b/README.pkcs11 @@ -0,0 +1,61 @@ + + BIND-9 PKCS#11 support + +Prerequisite + +The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one, +released the 2007-11-21 for OpenSSL 0.9.8g, with a bug fix (call to free) +and some improvements, including user friendly PIN management. + +Compilation + +"configure --with-pkcs11 ..." + +PKCS#11 Libraries + +Tested with Solaris one with a SCA board and with openCryptoki with the +software token. + +OpenSSL Engines + +With PKCS#11 support the PKCS#11 engine is statically loaded but at its +initialization it dynamically loads the PKCS#11 objects. +Even the pre commands are therefore unused they are defined with: + SO_PATH: + define: PKCS11_SO_PATH + default: /usr/local/lib/engines/engine_pkcs11.so + MODULE_PATH: + define: PKCS11_MODULE_PATH + default: /usr/lib/libpkcs11.so +Without PKCS#11 support, a specific OpenSSL engine can be still used +by defining ENGINE_ID at compile time. + +PKCS#11 tools + +The contrib/pkcs11-keygen directory contains a set of experimental tools +to handle keys stored in a Hardware Security Module at the benefit of BIND. + +The patch for OpenSSL 0.9.8g is in this directory. Read its README.pkcs11 +for the way to use it (these are the original notes so with the original +path, etc. Define OPENCRYPTOKI to use it with openCryptoki.) + +PIN management + +With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered +each time it is required. With the improved engine, the PIN should be +entered the first time it is required or can be configured in the +OpenSSL configuration file (aka. openssl.cnf) by adding in it: + - at the beginning: + openssl_conf = openssl_def + - at any place these sections: + [ openssl_def ] + engines = engine_section + [ engine_section ] + pkcs11 = pkcs11_section + [ pkcs11_section ] + PIN = put__your__pin__value__here + +Note + +Some names here are registered trademarks, at least Solaris is a trademark +of Sun Microsystems Inc... |