openssl: Define private key / keyform / engine in configuration file

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite
1












I've successfully set up my openssl environment to use a YubiKey for a CA certificate.



I can sign CSRs with the following command:



openssl ca -engine pkcs11 -keyfile "pkcs11:manufacturer=piv_II;id=%02" -keyform e -infiles pki/reqs/test.req


Now it would be great to get rid of the following part of the command line:



-engine pkcs11 -keyfile "pkcs11:manufacturer=piv_II;id=%02" -keyform e


Is it possible to configure OpenSSL via a configuration file to use this engine/key by default for CA signing operations? How does the configuration for that looks like?







share|improve this question























    up vote
    0
    down vote

    favorite
    1












    I've successfully set up my openssl environment to use a YubiKey for a CA certificate.



    I can sign CSRs with the following command:



    openssl ca -engine pkcs11 -keyfile "pkcs11:manufacturer=piv_II;id=%02" -keyform e -infiles pki/reqs/test.req


    Now it would be great to get rid of the following part of the command line:



    -engine pkcs11 -keyfile "pkcs11:manufacturer=piv_II;id=%02" -keyform e


    Is it possible to configure OpenSSL via a configuration file to use this engine/key by default for CA signing operations? How does the configuration for that looks like?







    share|improve this question





















      up vote
      0
      down vote

      favorite
      1









      up vote
      0
      down vote

      favorite
      1






      1





      I've successfully set up my openssl environment to use a YubiKey for a CA certificate.



      I can sign CSRs with the following command:



      openssl ca -engine pkcs11 -keyfile "pkcs11:manufacturer=piv_II;id=%02" -keyform e -infiles pki/reqs/test.req


      Now it would be great to get rid of the following part of the command line:



      -engine pkcs11 -keyfile "pkcs11:manufacturer=piv_II;id=%02" -keyform e


      Is it possible to configure OpenSSL via a configuration file to use this engine/key by default for CA signing operations? How does the configuration for that looks like?







      share|improve this question











      I've successfully set up my openssl environment to use a YubiKey for a CA certificate.



      I can sign CSRs with the following command:



      openssl ca -engine pkcs11 -keyfile "pkcs11:manufacturer=piv_II;id=%02" -keyform e -infiles pki/reqs/test.req


      Now it would be great to get rid of the following part of the command line:



      -engine pkcs11 -keyfile "pkcs11:manufacturer=piv_II;id=%02" -keyform e


      Is it possible to configure OpenSSL via a configuration file to use this engine/key by default for CA signing operations? How does the configuration for that looks like?









      share|improve this question










      share|improve this question




      share|improve this question









      asked Jul 11 at 6:44









      Matthias Lohr

      1013




      1013

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f454622%2fopenssl-define-private-key-keyform-engine-in-configuration-file%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes










           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f454622%2fopenssl-define-private-key-keyform-engine-in-configuration-file%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?