Use HSM

2 files changed, 6 insertions, 1 deletions

diff --git a/Makefile b/Makefile
index ce68603..46c0c9c 100644
--- a/Makefile
+++ b/Makefile
@@ -3,6 +3,7 @@
 ca.crl: crlnumber index.txt
 	openssl ca \
 		-verbose \
+		-engine pkcs11 -keyform engine \
 		-config ca.cnf \
 		-gencrl \
 		-out ca.crl
@@ -10,6 +11,7 @@ ca.crl: crlnumber index.txt
 revoke:
 	openssl ca \
 		-verbose \
+		-engine pkcs11 -keyform engine \
 		-config ca.cnf \
 		-revoke sub.crt
 
@@ -18,6 +20,7 @@ sub.crt: sub.csr
 	touch index.txt
 	openssl ca \
 		-verbose \
+		-engine pkcs11 -keyform engine \
 		-config ca.cnf \
 		-extensions extensions_sub \
 		-notext \
diff --git a/ca.cnf b/ca.cnf
index 214fb26..e4aa4d6 100644
--- a/ca.cnf
+++ b/ca.cnf
@@ -12,7 +12,9 @@ database	= $dir/index.txt
 serial		= $dir/serial
 RANDFILE	= $dir/.rand
 
-private_key	= $dir/ca.key
+#private_key	= $dir/ca.key
+# https://support.nitrokey.com/t/pki-ca-nitrokey-hsm-does-not-support-signing/2598/6
+private_key	= pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=a8465bfa9b8f461e;token=Yuuta%20Root%20CA;id=%02;object=SIGN%20key;type=private
 certificate	= $dir/ca.crt
 
 # CRL