feanor
May 16, 2024, 12:29pm
1
Hello,
I am trying to follow this tutorial to build a CA on Windows:
https://docs.nitrokey.com/hsm/windows/certificate-authority
I am failing to use the p11tool in order to obtain the PKCS#11 URI of the Root CA’s private key. The repo referenced in the tutorial seems to be pretty old and I am unable to compile for Windows as some libraries are not available. An easy fix does not seem to be possible.
So, I tried other ways to obtain the p11tool.
Current version of GnuTLS 3.8.4 (https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.4-w64.zip ) does not have the p11tool binary included.
The GnuTLS version 3.7.10, however, includes the p11tool binary. Yet, any call I make just gives me an empty reply.
I have tried commands in various variations, such as:
.\p11tool.exe --list-all
I assume that some config files or other dependencies are missing. Could anyone pehaps provide furter insight? Or is there another way to obtain private key PKCS#11 URIs?
Thanks in advance.
sc-hsm
May 16, 2024, 12:41pm
2
I’d suggest to use XCA instead. It works well with the Nitrokey HSM and saves you from the hassle of configuring the OpenSSL/PKCS#11 stack.
The point is, that OpenSSL is a fast moving target. As soon as you write a piece of documentation, it’s probably already outdated.
Thanks for the quick help!
Yes, I did have a look on XCA some time ago, but thought there was another way as to bring an additional tool with GUI into my workflow.
Indeed, I was able to sign my requests, although I still have some struggles with the tool. Sometimes I received error messages that disappear when doing the exact thing again after restarting XCA. Or where is my signed cert exported if I choose not to store it on the HSM?. Anyways, I guess it has to do if no other option arises.
Do you happen to know if p11tool and by that the Nitrokey Certificate Authority tutorial works as anticipated on Linux or Mac?
I don’t know who wrote the tutorial.
I while ago I did some tests with p11tool, which are documented in the CDN . More as a reminder for myself.
asc@bolzano:~/projects/openssl-hsm$ p11tool --list-tokens
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 1:
URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DECC0900024;token=SmartCard-HSM%20%28UserPIN%29
Label: SmartCard-HSM (UserPIN)
Type: Hardware token
Flags: RNG, Requires login
Manufacturer: www.CardContact.de
Model: PKCS#15 emulated
Serial: DECC0900024
Module: opensc-pkcs11.so
Token 2:
URL: pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM
Label: SmartCard-HSM
Type: Hardware token
Flags: RNG, Requires login
Manufacturer: CardContact (www.cardcontact.de)
Model: SmartCard-HSM
Serial: DECC0900024
Module: /usr/local/lib/libsc-hsm-pkcs11.so
List objects on a token:
asc@bolzano:~/projects/openssl-hsm$ p11tool --login --list-all "pkcs11:model=SmartCard-HSM"
Token 'SmartCard-HSM' with URL 'pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM' requires user PIN
Enter PIN:
Object 0:
URL: pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM;object=C.DevAut;type=cert
Type: X.509 Certificate
Label: C.DevAut
ID:
Object 1:
URL: pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM;object=C.DICA;type=cert
Type: X.509 Certificate
Label: C.DICA
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;
ID:
Object 2:
URL: pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM;id=%0C%D0%43%5A%2A%7E%88%17%C9%90%F4%7A%0A%A5%82%F7%F7%FF%67%7A;object=DevNetCA%2FAndreas%20Schwier%20%5BTue%20Jul%2018%202023%2014%3A25%3A04%20GMT%2B0200%20%28CEST%29%5D;type=cert
Type: X.509 Certificate (RSA-2048)
Expires: Thu Jul 17 14:25:12 2025
Label: DevNetCA/Andreas Schwier [Tue Jul 18 2023 14:25:04 GMT+0200 (CEST)]
ID: 0c:d0:43:5a:2a:7e:88:17:c9:90:f4:7a:0a:a5:82:f7:f7:ff:67:7a
Object 3:
URL: pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM;id=%0C%D0%43%5A%2A%7E%88%17%C9%90%F4%7A%0A%A5%82%F7%F7%FF%67%7A;object=DevNetCA%2FAndreas%20Schwier%20%5BTue%20Jul%2018%202023%2014%3A25%3A04%20GMT%2B0200%20%28CEST%29%5D;type=public
Type: Public key (RSA-2048)
Label: DevNetCA/Andreas Schwier [Tue Jul 18 2023 14:25:04 GMT+0200 (CEST)]
ID: 0c:d0:43:5a:2a:7e:88:17:c9:90:f4:7a:0a:a5:82:f7:f7:ff:67:7a
Object 4:
URL: pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM;id=%0C%D0%43%5A%2A%7E%88%17%C9%90%F4%7A%0A%A5%82%F7%F7%FF%67%7A;object=DevNetCA%2FAndreas%20Schwier%20%5BTue%20Jul%2018%202023%2014%3A25%3A04%20GMT%2B0200%20%28CEST%29%5D;type=private
Type: Private key (RSA-2048)
Label: DevNetCA/Andreas Schwier [Tue Jul 18 2023 14:25:04 GMT+0200 (CEST)]
Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: 0c:d0:43:5a:2a:7e:88:17:c9:90:f4:7a:0a:a5:82:f7:f7:ff:67:7a
Generate certificate request using OpenSSL:
asc@bolzano:~/projects/openssl-hsm$ openssl req new -x509 -days 365 -subj '/CN=my key/' -sha256 -engine pkcs11 -keyform engine -key pkcs11:token=SmartCard-HSM;id=%0C%D0%43%5A%2A%7E%88%17%C9%90%F4%7A%0A%A5%82%F7%F7%FF%67%7A;type=private
Engine "pkcs11" set.
Enter PKCS#11 token PIN for SmartCard-HSM:
-----BEGIN CERTIFICATE-----
MIIDAzCCAeugAwIBAgIURjFOiqr5lXlETYEc5fHIGWsntRswDQYJKoZIhvcNAQEL
BQAwETEPMA0GA1UEAwwGbXkga2V5MB4XDTIzMDcyNjEwMjQzOFoXDTI0MDcyNTEw
MjQzOFowETEPMA0GA1UEAwwGbXkga2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAijrVcQwFV+AKOydS9ppx8P0Wi7C/y+jfkkx3LsrJczpc7D2f8tIm
qTLo/VUOR3EtMn45r0XbTr6gRVydFIAjKHCz34DfoZkaWj9l5wTIhkJk0AUjXysm
kmYOBpPZuXwMiYkJKILwLH36ovmPaEZrbQ2jJIkj/4tVXyyl7OrysAdUCY0NZ5bn
Ima61fo3/98df/nHyRXZa83ILnvrsoz6bD2C/Yc2QFYBPSKJd/STgZfnxAqT7+l0
Ysk7q9DDeVmOkOjB4MLnK+kA3SxR1Jodbb+YG93UouQQ3DlUIOk3EoN1NAEtVFCx
Keaj/yxzgrcr28y0qaJzr5abNxBMiqb0UQIDAQABo1MwUTAdBgNVHQ4EFgQUDNBD
Wip+iBfJkPR6CqWC9/f/Z3owHwYDVR0jBBgwFoAUDNBDWip+iBfJkPR6CqWC9/f/
Z3owDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAfaFv+Mja0VO2
wQiLa/w6TjNr7idOP72qPCA4MvXINsgdq1a7dT87fLGJPK5EJJEapQJw+4WDfzHO
9XUkwzc0+Cgb5W/Uzu2+60iLAJzOpkmsAP9TVxwdX+7B2kvYxM2GRdc8X7HBkChd
gxyCv+IU8fiZ05eU0KFCjB7jkiUb9aocNxwkGy1+piVw7XB3GyngkWzpLvIV1vum
8dfxcEyjtFPdpZ6dNTJiLQwNM5YAT3xsL8Fggq+4JaBiTH4TcH+l3uVnEw519MH5
zB3KIUctbo+I9Am8QiSTV9B8ltSgkyPHdC4x7bA6VRVA0XYFiWzNy0DadmS3tA02
N8HmZ9Xepg==
-----END CERTIFICATE-----
Connect to server using mTLS:
openssl s_client -connect cdn.cardcontact.de:443 -debug -cert client.pem -engine pkcs11 -keyform engine -key pkcs11:token=SmartCard-HSM;id=%0C%D0%43%5A%2A%7E%88%17%C9%90%F4%7A%0A%A5%82%F7%F7%FF%67%7A;type=private
