I want to use the Nitrokey HSM to create a CA for a company PKI and sign CSRs using it.
For that purposes I initialized the module and generated a rsa2048 key pair on it.
Then I created a self-signed certificate to be my CA using
openssl req -engine pkcs11 -keyform engine -new -key 0:10 -nodes -days 3650 -x509 -sha256 -out “ca.crt” -subj="/C=DE/ST=NRW/L=Essen/O=Keine Visitenkarte eingerichtet"
Afterwards I created a CSR and tried to sign it using
openssl ca -cert keys/ca.crt -engine pkcs11 -keyform engine -key 0:10 -in keys/test1.csr -out keys/test1.crt
Now I get the following error messages:
engine “pkcs11” set.
Using configuration from openssl.cnf
Format not recognized!
The certificate ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The legacy ENGINE_pkcs11 ID format is also still accepted for now
Format not recognized!
The certificate ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The legacy ENGINE_pkcs11 ID format is also still accepted for now
PKCS11_get_private_key returned NULL
cannot load CA private key from engine
140070709236992:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:…/crypto/engine/eng_pkey.c:78:
unable to load CA private key
Is there something wrong with the subject of my CA? I any other obvious mistake?
Thanks and cheers,
Wolfgang