@@ -795,6 +795,43 @@ Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign()
This capability is intended to allow the use of arbitrary cryptographic
service providers with OpenVPN via the management interface.
+COMMAND -- pk-sig (OpenVPN 2.5 or higher)
+------------------------------------------
+Provides support for external storage of the private key. Requires the
+--management-external-key option. This option can be used instead of "key"
+in client mode, and allows the client to run without the need to load the
+actual private key. When the SSL protocol needs to perform a sign
+operation, the data to be signed will be sent to the management interface
+via a notification as follows:
+
+>PK_SIGN:[BASE64_DATA]
+
+The management interface client should then create an appropriate signature of
+the (decoded) BASE64_DATA using the private key and return the SSL signature as
+follows:
+
+pk-sig
+[BASE64_SIG_LINE]
+.
+.
+.
+END
+
+RSA signatures (for RSA keys) and and ECDSA signatures (for EC keys) are
+supported. For EC keys openssl 1.1 or higher is required.
+
+Base64 encoded output of RSA_private_encrypt for RSA or ECDSA_sign() for EC
+using OpenSSL or mbedtls_pk_sign() using mbed TLS will provide a correct
+signature.
+
+This capability is intended to allow the use of arbitrary cryptographic service
+providers with OpenVPN via the management interface.
+
+Currently RSA signature is challenged for by '>RSA_SIGN', but eventually
+'>PK_SIGN' prompt will be used for all signature types. New management clients
+should be prepared to respond to '>PK_SIGN' with 'pk-sig' followed by the
+appropriate signature.
+
COMMAND -- certificate (OpenVPN 2.4 or higher)
----------------------------------------------
Provides support for external storage of the certificate. Requires the