Nitrokey HSM as CA for signing CSRs

wollud1969 · May 18, 2018, 10:25am

I want to use the Nitrokey HSM to create a CA for a company PKI and sign CSRs using it.
For that purposes I initialized the module and generated a rsa2048 key pair on it.

Then I created a self-signed certificate to be my CA using
openssl req -engine pkcs11 -keyform engine -new -key 0:10 -nodes -days 3650 -x509 -sha256 -out “ca.crt” -subj="/C=DE/ST=NRW/L=Essen/O=Keine Visitenkarte eingerichtet"

Afterwards I created a CSR and tried to sign it using
openssl ca -cert keys/ca.crt -engine pkcs11 -keyform engine -key 0:10 -in keys/test1.csr -out keys/test1.crt

Now I get the following error messages:
engine “pkcs11” set.
Using configuration from openssl.cnf
Format not recognized!
The certificate ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The legacy ENGINE_pkcs11 ID format is also still accepted for now
Format not recognized!
The certificate ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The legacy ENGINE_pkcs11 ID format is also still accepted for now
PKCS11_get_private_key returned NULL
cannot load CA private key from engine
140070709236992:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:…/crypto/engine/eng_pkey.c:78:
unable to load CA private key

Is there something wrong with the subject of my CA? I any other obvious mistake?

Thanks and cheers,
Wolfgang

wollud1969 · May 19, 2018, 7:16am

Forget about this. I found the excellent tutorial from Karsten Ness at Heinlein (https://www.heinlein-support.de/sites/default/files/slac16_hardware-security-module.pdf) and I’m using XCA now. Maybe you want to put a link to this tutorial on your HSM start page, it helped me very much, actually more than everything which is currently on this page

Cheers,
Wolfgang

szszszsz · May 19, 2018, 8:01am

Hi Wolfgang!

Thank you for letting know! We will look into this. Linking is one thing (looks like a good candidate indeed!), but was there any specific thing/page which has helped you grasp the topic? Knowing that we could improve our guide as well.

wollud1969 · May 19, 2018, 2:31pm

Most of my confusion came from the different referencing of keys on the token. Once, you have to reference them by slot and id as in the “openssl req” call, in the second “openssl ca” call this won’t work any longer and you have to use an PKCS#11 URI, which is completely different.
This is no nitrokey issue, not at all, but is a openssl or a pkcs11-engine story, however, it stopped my from using the nitrokey as I wanted to in the first place.
However, as I became a bit lazy over the years, I’m using XCA now and so far I’m quite happy with it.

nitroalex · May 22, 2018, 8:25am

Hi Wolfgang,

thanks, for now I just added the pdf here.

I would like to improve the instructions in https://nitrokey.com/start as well in the future… So you are right, this should be improved indeed.

Kind regards
Alex