How To generate CSR with the Smart Card-HSM

sbrian · January 22, 2016, 2:53am

I cannot figure out how to generate a base64 encoded Certificate Signing Request (CSR) with any of the OpenSC tools.

The wiki page states :

[quote]The SmartCard-HSM driver extracts required PKCS#11 public key object from certificates stored on the device. For newly generated key pairs without a certificate the certificate signing request is stored instead.
To save the generated public key in Subject Public Key Information format as per RF3280 use the following command…
[/quote]

My problem is that it does not say how to retrieve the CSR and in particuar, how to output/convert the output to a base64 encoded CSR so that I may submit it a CA to obtain a certificate.

Secondly, assuming I manage to retrieve the CSR, what then are the exact steps involved to associating the received certificate with the keypair into the HSM?

I have also attempted a second method by using the Windows Certificate Manager tool to generate a custom certificate request utilizing the OpenSC Minidriver. In this method, everything goes fine until the Nitrokey HSM is accessed by the tool. I am blocked there as it says the Nitro-Key HSM is ReadOnly - How do I set up the OpenSC-Minidriver so that the Nitrokey SmartCard-HSM is not read-only?

jan · January 22, 2016, 10:37am

You would need to use OpenSSL to generate the certificate signing request (CSR). Furthermore you would need to tell OpenSSL to utilize OpenSC’s pkcs#11 engine to access the Nitrokey. Think of OpenSC’s pkcs#11 engine as a driver or middleware for the hardware. See: github.com/OpenSC/OpenSC/wiki/S … ine-pkcs11 The last link also describes how to import a X.509 certificate you got back from your CA.

OpenSC’s MiniDriver has been read-only so far. A quick search indicates that it supports “write” mode in the recent version: “‘Write’ mode can be enabled from the OpenSC configuration file”.

travisspencer · October 26, 2017, 9:45am

This works for RSA keys, but not elliptical curve keys. Are EC keys not supported by the OpenSSL engine? When I try, I get this:

OpenSSL> engine -t dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/local/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
     [ available ]
OpenSSL> req -engine pkcs11 -new -key id_11 -keyform engine -x509 -out /tmp/ec_new.pem -text
engine "pkcs11" set.
PKCS#11 token PIN:
key not found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140735210549328:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124:
unable to load Private Key
error in req

I know the key exists:

pkcs11-tool -O -l
Using slot 0 with a present token (0x0)
Logging in to "UserPIN (SmartCard-HSM)".
Please enter User PIN:
Private Key Object; RSA
  label:      Certificate
  ID:         10
  Usage:      decrypt, sign, unwrap
Certificate Object; type = X.509 cert
  label:      Certificate
  ID:         10
Public Key Object; RSA 1024 bits
  label:      Certificate
  ID:         10
  Usage:      encrypt, verify
Private Key Object; EC
  label:      Private Key
  ID:         11
  Usage:      sign, derive
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   0441042deae11ac2b518b059e57b91d8af88d253d5dfe57f95f1f904902f2d97de8dac2fd4eca08900d23c3cf0cd63e192fab4540da9a949e3d692450547708cb3b780
  EC_PARAMS:  06082a8648ce3d030107
  label:      Private Key
  ID:         11
  Usage:      verify
Private Key Object; EC
  label:      xxx
  ID:         12
  Usage:      sign, derive
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   04410429777c623f210c8f98c1de3b88cef71bb207ff821e551fed2493d72ad824a1b69d9d4d919b919a8dada66808892a3c30b1d1c570f865e78de03c62fa2c95098b
  EC_PARAMS:  06082a8648ce3d030107
  label:      xxx
  ID:         12
  Usage:      verify

I’ve tried using the newest version of libp11 (which doesn’t load into OpenSSL though engine_pkcs11 says it’s merged into that lib), I’ve tried with the PKCS11SPY but that doesn’t give any more info. It just won’t find the key.

Any clues?

nitroalex · October 26, 2017, 4:55pm

Hi,

as I am not so much experienced with ECC and OpenSC a stab in the dark (to be honest):
Did you already see this wiki page about ECC and OpenSSL and maybe also the general information about OpenSSL and ECC?

Kind regards
Alex

travisspencer · October 28, 2017, 8:41am

To create a CSR, you have to have access to the private key in order to sign the request. There seems to be only one way to access the private key on the NitroHSM to get a CSR and that’s OpenSSL’s PKCS#11 engine. Since that doesn’t work for EC, this seems like a non-starter.

travisspencer · November 6, 2017, 7:20am

This seems related. Advice there is to use a new version of OpenSC. I did that, but perhaps I did it wrong. Will test…

nitroalex · November 6, 2017, 9:11am

That would be great, thanks. Please let us know, how it turns out.

Sorry, that I couldn’t help so far!