I want to process Certificate Signing Requests in order to produce certificates, but have not been able to figure out how to accomplish this with the NetHSM. I get CSRs from external devices which I want to do some checks on and then produce client certificates that i return to these devices. Using the REST API to communicate with the NetHSM from my server application.
I have managed to provision the NetHSM, create admin users and namespaces, have generated a keypair that I want to use as my rootCA key, but now I’m a bit stuck.
I’ve tried to figure out how to do this using nitropy utility or the REST API, but no luck.
(Rather than provisioning the rack-mounted NetHSM we have, I’ve experimented using the nethsm docker image published at docker.io/nitrokey/nethsm:testing. Not that I think this detail is important)
Are there any examples I can look at? Does anyone else do this?
This is for generating CSRs, not signing them. However, I’ve figured out how i might do this in Go using the Sign API call. Will update with some code when I’ve succeeded.
It depends what do you mean by “signing CSRs” - a CSR is signed by the key you want to have a certificate for and this is what @alexandre 's answer gives you.
You might also mean you would like to have a certificate issued for a given CSR.
I don’t see any option there designed to specifically sign X.509 certificate structures in the API (I would be surprised to find one).
If you want to have a new certificate issued, you have to generate a X509 certificate and sign it using /keys/{KeyID}/sign operation, assuming the key for the certificate authority is on the NetHSM.
If you follow the Python example X.509 Certificate Builder the following step needs to be done via NetHSM:
but unfortunately, as in many libraries, it is difficult to redirect this step to the HSM.
Personally I am using Mozilla’s NSS library for this because they have a very good PKCS#11 HSM support. It is also possible to use OpenSSL and its engines or whatever they have now after 3.0.
Setting up a certificate authority might need some extra steps, but I am sure that the actual signing of the certificates can be done by NetHSM.
You can inherit from the *PrivateKey classes to implement CSR signing using cryptography and the NetHSM. This file shows how to do this using a PIV smartcard. Similar code could be used together with the Python NetHSM SDK for the NetHSM.
