I cannot figure out how to generate a base64 encoded Certificate Signing Request (CSR) with any of the OpenSC tools.
The wiki page states :
[quote]The SmartCard-HSM driver extracts required PKCS#11 public key object from certificates stored on the device. For newly generated key pairs without a certificate the certificate signing request is stored instead.
To save the generated public key in Subject Public Key Information format as per RF3280 use the following command…
[/quote]
My problem is that it does not say how to retrieve the CSR and in particuar, how to output/convert the output to a base64 encoded CSR so that I may submit it a CA to obtain a certificate.
Secondly, assuming I manage to retrieve the CSR, what then are the exact steps involved to associating the received certificate with the keypair into the HSM?
I have also attempted a second method by using the Windows Certificate Manager tool to generate a custom certificate request utilizing the OpenSC Minidriver. In this method, everything goes fine until the Nitrokey HSM is accessed by the tool. I am blocked there as it says the Nitro-Key HSM is ReadOnly - How do I set up the OpenSC-Minidriver so that the Nitrokey SmartCard-HSM is not read-only?
You would need to use OpenSSL to generate the certificate signing request (CSR). Furthermore you would need to tell OpenSSL to utilize OpenSC’s pkcs#11 engine to access the Nitrokey. Think of OpenSC’s pkcs#11 engine as a driver or middleware for the hardware. See: github.com/OpenSC/OpenSC/wiki/S … ine-pkcs11 The last link also describes how to import a X.509 certificate you got back from your CA.
OpenSC’s MiniDriver has been read-only so far. A quick search indicates that it supports “write” mode in the recent version: “‘Write’ mode can be enabled from the OpenSC configuration file”.
I’ve tried using the newest version of libp11 (which doesn’t load into OpenSSL though engine_pkcs11 says it’s merged into that lib), I’ve tried with the PKCS11SPY but that doesn’t give any more info. It just won’t find the key.
as I am not so much experienced with ECC and OpenSC a stab in the dark (to be honest):
Did you already see this wiki page about ECC and OpenSSL and maybe also the general information about OpenSSL and ECC?
To create a CSR, you have to have access to the private key in order to sign the request. There seems to be only one way to access the private key on the NitroHSM to get a CSR and that’s OpenSSL’s PKCS#11 engine. Since that doesn’t work for EC, this seems like a non-starter.