I have a YubiKey NEO which has a lot of amazing capabilities such as OTP, U2F, and PGP smart card for PGP/GPG and even SSH keys. One of the applications I've discovered recently for the device is a PIV applet which you can use to securely store a SSL certificate's private RSA key.
I find this pretty fascinating, as it makes it much more difficult without physical access to steal a SSL certificate.
Is it possible to use a smart card like this for a SSL server's private key? I've never seen configuration in Apache or nginx which would seem to indicate support for anything other than file-based SSL private keys.
Also, the demo given for the PIV applet shows how to create a local file-based private key and then send it to the smart card; is there a way to create the key securely on the card, so that it is never stored anywhere? I know I could just store it in a RAM disk/filesystem so that it's never written to disk, but is there a way to generate it on-device as is possible using OpenPGP for PGP keys?
Aucun commentaire:
Enregistrer un commentaire