ruToken под Linux. подпись запросов на сертификат. (Страница 1 из 2)

nikl@ak49:~$ /usr/bin/pkcs15-init --store-private-key keys/ca.key --auth-id 02 --id 47 --label 'CA-KEY' --key-usage sign
Using reader with a card: Aktiv Rutoken S 00 00
User PIN required.
Please enter User PIN: 

nikl@ak49:~$ /usr/bin/pkcs15-init --store-certificate keys/ca.crt --authority --auth-id 02 --id 47 --label 'CA-CERT'
Using reader with a card: Aktiv Rutoken S 00 00
User PIN required.
Please enter User PIN: 

nikl@ak49:~$ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --list-objects --login
Using slot 1 with a present token (0x1)
Logging in to "Rutoken S (User PIN)".
Please enter User PIN: 
Private Key Object; RSA 
  label:      CA-KEY
  ID:         47
  Usage:      sign
Public Key Object; RSA 2048 bits
  label:      CA-KEY
  ID:         47
  Usage:      none
Certificate Object, type = X.509 cert
  label:      CA-CERT
  ID:         47

[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
pkcs11 = pkcs11_section

[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH=/usr/local/lib/opensc-pkcs11.so
PIN = 12345678
init = 0

nikl@ak49:~$ openssl ca -config openssl.cnf -engine pkcs11 -key slot_1-id_47 -in user.csr -out user.crt
Using configuration from openssl.cnf
engine "pkcs11" set.
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'RU'
stateOrProvinceName   :ASN.1 12:'none'
localityName          :ASN.1 12:'City'
organizationName      :ASN.1 12:'Firma'
organizationalUnitName:ASN.1 12:'IT'
commonName            :ASN.1 12:'user'
emailAddress          :IA5STRING:'user@domain.com'
Certificate is to be certified until Jan  7 13:29:29 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
3523:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:281: