OpenSSL create CSR error


I am using Nitrokey HSM2. I installed OpenSC 0.19.0, OpenSSL 1.1.1c and libp11 from git. I initialized the Nitrokey HSM2. Result of the pkcs11-tool:

Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
  token label        : UserPIN (PES-HSM-test)
  token manufacturer :
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.2
  serial num         : DENK0102473
  pin min/max        : 6/15

Now I am trying to create CSR (certificate signing request), with OpenSSL. Command:
OPENSSL_CONF=hsm.conf openssl req -new -keyform engine -engine pkcs11 -x509 -subj "/CN=Test" -out cert.pem -key id_10


openssl_conf = openssl_def

engines = engine_section

distinguished_name = req_distinguished_name

# empty.

pkcs11 = pkcs11_section

engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/
MODULE_PATH = /usr/lib/x86_64-linux-gnu/
PIN = 123456
init = 0

Problem is, that I am getting error like this:

139816463811648:error:8207A054:PKCS#11 module:pkcs11_private_encrypt:Function not supported:p11_rsa.c:120:
139816463811648:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:crypto/asn1/a_sign.c:224:

Thanks for any idea.
Tomas Klein

I found out, that if size of the key is RSA2048 there is no problem, but if key size is RSA3072 or RSA4096, there is the error with PKCS module.


RSA 4096 should be supported since OpenSC 0.19, but perhaps not in every place yet. We had similar topic here: Nitrokey HSM 2 - RSA Keys >2048. I think it would be worth to register a ticket there (OpenSC issues page), if all else fails.

Have you tried with PKCS#11 module, instead of OpenSC’s one? Here is its documentation, and the project.

You may want as well to update the smart card’s firmware:

Hi @Tomas_Klein!

Could you share briefly, which one of the proposed solutions has helped you?


problem was with library from OpenSC. Library from the smartcard-hsm webpage works :slight_smile:

1 Like