I have a doubt whether what I’m trying to achieve is reasonable or not with the Nitrokey Start. I would like to use the key to sign software.
I started investigating the matter, and the first thing I need is to create a self-signed certificate from the RSA signing key.
For this I tried using openssl with pkcs11 engine, using the opensc backend. The problem I’m facing is that I am not sure how to specify the key name in the openssl command :
$ openssl req -engine pkcs11 -new -key "pkcs11:object=1:03" -keyform engine -out req.pem -text -x509 -subj "/CN=my name" engine "pkcs11" set. PKCS#11 token PIN: Key not found. PKCS11_get_private_key returned NULL cannot load Private Key from engine 140575120598680:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124: unable to load Private Key
I have the following openssl.cnf (as seen on the opensc wiki) :
openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = /usr/lib/opensc-pkcs11.so init = 0
I am pushing too far with the Nitrokey Start and do I need a Nitrokey Pro or HSM instead ?