I have been working on setting up an openvpn server with some nitrokey pro2’s. I tried following the guide under applications but to no avail.
I could not initialize the Nitrokey using the pkcs11-tool so i used gpg to generate keys.
I want to keep my certificate authority on a nitrokey as well, but i cannot find a way to sign certificates while the private key is only on the nitrokey. How would I accomplish this?
When I am trying to generate certificate signing requests via openssl and pkcs11 module I get the following error:
engine "pkcs11" set. Failed to enumerate slots Failed to enumerate slots PKCS11_get_private_key returned NULL cannot load Private Key from engine 140135117153600:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:858: 140135117153600:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:77: unable to load Private Key
Here is my openssl config:
#PKCS11 engine config openssl_conf = openssl_def [openssl_def] engines = engine_section [req] distinguished_name = req_distinguished_name [req_distinguished_name] #empty. [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /lib/engines-1.1/pkcs11.so MODULE_PATH = /lib/pkcs11/opensc-pkcs11.so PIN = 12345678 init = 0
- I have also tried using gpgsm to generate the certificate signing requests, but I cant get openssl to sign them I get an error message saying:
Signature did not match the certificate request
Any help is appreciated, thank you.