Generating a key on the hardware token
In this recipe, we will generate a private key on the hardware token itself, after which we generate a certificate to match this private key. For security-sensitive purposes, this is one of the safest ways to generate a certificates/private-key pair, as the private key cannot be copied off the hardware token. It also means that if the hardware token fails or is stolen then the private key and corresponding certificate are lost.
Getting ready
Keep the hardware token from the previous recipe at hand. In this recipe the computer used was running Fedora 12 Linux, pcsc-lite 1.5.2, opensc-0.11.12, engine_pkcs11 0.1.4 and PKI Client 5.00, but the commands used should work with other PKCS#11 libraries as well. The engine_pkcs11 library is the "engine" interface between the openssl command and a PKCS#11 driver. This package can be found on the OpenSC project website for Linux, Windows, and Mac OS X.
How to do it...
The easy-rsa scripts that are supplied with OpenVPN...
