Loading ...
Sorry, an error occurred while loading the content.

TLS Server Key on HSM

Expand Messages
  • Harakiri
    Is it possible to not only configure a key (pem) file for the server key but also a location on a secure token ? E.g. somehow set the openssl engine parameter
    Message 1 of 4 , Jan 4, 2013
    • 0 Attachment
      Is it possible to not only configure a key (pem) file for the server key but also a location on a secure token ? E.g. somehow set the openssl engine parameter for postfix instead of using smtpd_tls_key_file?

      Is the same possible for client authentication (e.g. sending to a domain which requires X.509 auth)
    • Wietse Venema
      ... All features are described in http://www.postfix.org/TLS_README.html Wietse
      Message 2 of 4 , Jan 4, 2013
      • 0 Attachment
        Harakiri:
        > Is it possible to not only configure a key (pem) file for the
        > server key but also a location on a secure token ? E.g. somehow
        > set the openssl engine parameter for postfix instead of using
        > smtpd_tls_key_file?
        >
        > Is the same possible for client authentication (e.g. sending to a
        > domain which requires X.509 auth)

        All features are described in http://www.postfix.org/TLS_README.html

        Wietse
      • Harakiri
        ... Is that another way of saying - NO HSM is not supported - because i read that document, there is no mentioning of openssl engine, or HSM. Here is the part:
        Message 3 of 4 , Jan 4, 2013
        • 0 Attachment
          --- On Fri, 1/4/13, Wietse Venema <wietse@...> wrote:

          > From: Wietse Venema <wietse@...>
          > Subject: Re: TLS Server Key on HSM
          > To: "Postfix users" <postfix-users@...>
          > Date: Friday, January 4, 2013, 9:12 AM
          > Harakiri:
          > > Is it possible to not only configure a key (pem) file
          > for the
          > > server key but also a location on a secure token ? E.g.
          > somehow
          > > set the openssl engine parameter for postfix instead of
          > using
          > > smtpd_tls_key_file?
          > >
          > > Is the same possible for client authentication (e.g.
          > sending to a
          > > domain which requires X.509 auth)
          >
          > All features are described in http://www.postfix.org/TLS_README.html
          >

          Is that another way of saying - NO HSM is not supported - because i read that document, there is no mentioning of openssl engine, or HSM.

          Here is the part:

          "If a certificate is to be presented, it must be in "PEM" format. The private key must not be encrypted, meaning: it must be accessible without password."
        • Wietse Venema
          ... If a feature is not documented then it is not supported. ... If this text is not 100 percent absolutely clear then please send a bug report. Wietse
          Message 4 of 4 , Jan 4, 2013
          • 0 Attachment
            Harakiri:
            > > All features are described in http://www.postfix.org/TLS_README.html
            >
            > Is that another way of saying - NO HSM is not supported - because
            > i read that document, there is no mentioning of openssl engine,
            > or HSM.

            If a feature is not documented then it is not supported.

            > Here is the part:
            >
            > "If a certificate is to be presented, it must be in "PEM" format.
            > The private key must not be encrypted, meaning: it must be accessible
            > without password."

            If this text is not 100 percent absolutely clear then please send
            a bug report.

            Wietse
          Your message has been successfully submitted and would be delivered to recipients shortly.