Creating csr on am62x

atta · March 3, 2026, 12:03pm

Hi, i want to sign a CSR on an embedded device with am62x-SOM using a private key on the nitrokey HSM. I already have certificates and keys stored on the HSM.

I tried a tutorial from SmartCardHSM · OpenSC/OpenSC Wiki · GitHub

I have to use command line for an automated script. Also I’m fixed to openssl3, so the tutorial commands does not work. Is there a tutorial for openssl3?

sc-hsm · March 3, 2026, 1:02pm

OpenSSL 3+ has dropped the engine support and introduced the provider concept.

There is a PKCS#11 Provider, but we have not tried that yet.

atta · March 3, 2026, 3:06pm

Thx a lot! I have installed pkcs11-provider additionally and now i got a step further. But now it can not find the private key on the HSM. Am I using the correct key id?

openssl ca -keyfile pkcs11:id=3367dd2bf0d91233a8c4c7694fc985453d358305 -policy signing_policy -extensions signing_req -out new.pem -infiles nginx.csr
Using configuration from /usr/lib/ssl-3/openssl.cnf
Enter pass phrase for PKCS#11 Token (Slot 0 - Nitrokey Nitrokey HSM (ID) 00 00):
Could not find CA private key from pkcs11:id=3367dd2bf0d91233a8c4c7694fc985453d358305

pkcs15-tool --list-keys
Using reader with a card: Nitrokey Nitrokey HSM (ID) 00 00
Private EC Key [HansWerner]
Object Flags : [0x01], private
Usage : [0x104], sign, derive
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
FieldLength : 256
Key ref : 1 (0x01)
Native : yes
Auth ID : 01
ID : 3367dd2bf0d91233a8c4c7694fc985453d358305
MD:guid : 74c2f304-1064-f187-7d6b-13db27dcee6c

atta · March 3, 2026, 3:19pm

Additional Info: With pkcs11-tool I am missing sign as usage option.

pkcs11-tool --list-objects
Using slot 0 with a present token (0x0)
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 04410492f8db4beab7bad4b6a34e7786f47ad6084ae255e79845ad3e1caac9914d31ce9d51ed792b3f97881bc978b757aacd7511348842733c6cd5919bfff1ac528ca2
EC_PARAMS: 06092b2403030208010107 (OID 1.3.36.3.3.2.8.1.1.7)
label: HansWerner
ID: 3367dd2bf0d91233a8c4c7694fc985453d358305
Usage: verify, derive
Access: none

czietz · March 3, 2026, 9:16pm

I don’t have a NitroHSM. But you’ll most likely only see your “protected” keys (such as for signing) after logging in, i.e., when running pkcs11-tool --login --list-objects. Also, the PKCS#11 URIs that I know are much more complicated than “pkcs11:id=3367dd2bf0d91233a8c4c7694fc985453d358305”. Newer OpenSC versions will show you the correct URI, as will p11tool from GnuTLS.