Comments (5)
liupums
commented on May 21, 2024
in the engine, vault is for azure key vault. If you created a key in HSM, please use managedHsm as the prefix. I am adding the Managed HSM example soon.
from azurekeyvaultmanagedhsmengine.
liupums
commented on May 21, 2024
- the HSM example is available https://github.com/microsoft/AzureKeyVaultManagedHSMEngine/blob/main/samples/nginx-managedHsm/readme.md
- I was trying to reproduce the core dump, but no luck. If the prefix "vault" is used for an existing HSM, what I got is
azureuser@hsmlinux:~/AzureKeyVaultManagedHSMEngine/samples/nginx-managedHsm$ openssl req -new -x509 -engine e_akv -keyform engine -key vault:poptryhsmengine:tescckey -out certecc.pem
engine "e_akv" set.
[e] AkvGetKey curl.c(400) curl_easy_perform() failed: Couldn't resolve host name
cannot load Private Key from engine
140637073995072:error:8010E103:lib(128):akv_load_key_cert:load public key error:/home/azureuser/AzureKeyVaultManagedHSMEngine/src/dllmain.c:203:
140637073995072:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:77:
unable to load Private Key
I noticed that in your error message, there is no
[e] AkvGetKey curl.c(400) curl_easy_perform() failed: Couldn't resolve host name
Maybe you are using the old code, could you pull the latest code and rebuild/retry?
from azurekeyvaultmanagedhsmengine.
liupums
commented on May 21, 2024
not reproduceable
from azurekeyvaultmanagedhsmengine.
jetbee
commented on May 21, 2024
Thanks for new example.
I've run the command step by step.
Then, It worked!
Thank you very much!
And in my environment some commands occured errors.
There's my corrections:
(1)
openssl req -newkey rsa:2048 -nodes -keyout cert_1.key -x509 -days 365 -out cert_1.cer -config openssl.cnf
In my windows 10 environment, I can use default openssl.cnf as not specified.
openssl req -newkey rsa:2048 -nodes -keyout cert_1.key -x509 -days 365 -out cert_1.cer
(2)
before run this command:
az keyvault key create --curve p-256 --kty EC-HSM --name testecckey --hsm-name [HSM NAME] --ops sign
In my case it was nesessary to assign hsm local role to my account via this command:
az keyvault role assignment create --hsm-name [HSM NAME] --assignee xxx --scope / --role "Managed HSM Crypto User"
(3)
maybe p-256 is mistyped of P-256
az keyvault key create --curve P-256 --kty EC-HSM --name testecckey --hsm-name [HSM NAME] --ops sign
from azurekeyvaultmanagedhsmengine.
liupums
commented on May 21, 2024
(1) the sample openssl.cnf is provided in the repo
(2) this is a good point.
(3) p-256 should work (it is case-insensitive)
from azurekeyvaultmanagedhsmengine.
Related Issues (8)
- akv_rsa_priv_enc function should be for signing HOT 5
- Use CLI Credentials to connect to Managed HSM HOT 1
- Is OpenSSL 3 support planned?
- curl getting "bad header" when invoking call to azure keyvault. HOT 1
- Doesn't e_akv engine work with openssl ts command? HOT 1
- Is this engine work with openssl 3.0? HOT 1
- Running on a VM without a managed identity causes a segfault
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azurekeyvaultmanagedhsmengine.