Self signed certificate authority: pkcs11 engine and openssl

Hi all,

I wan’t to use the Nitrokey HSM module to sign a self sign certificate with a self signed certificate authority. Below you can find the procedure that I’ve followed:

#Create self signed CA certificate (server certificate)

Create private key -

pkcs11-tool --module opensc-pkcs11.so -l --keypairgen --key-type EC:prime256v1 --id 10 --label "CA_private2"

Self-sign private key -

OPENSSL_CONF=./hsm.conf openssl req -engine pkcs11 -keyform engine -new -key 0:10 -sha256 -x509 -days 12775 -out CA_cert2.pem -subj /CN=CA -config <(echo '[req]'; echo 'distinguished_name=dn'; echo '[dn]'; echo '[ext]'; echo 'basicConstraints=CA:TRUE') -extensions ext

Creating device certificates

Create private key -

openssl ecparam -out bootstrap_device_private.pem -name prime256v1 -genkey

Convert private key to DER format -

openssl ec -in bootstrap_device_private.pem -out bootstrap_device_private.der -outform der

Create a certificate signing request for the private key -

openssl req -key bootstrap_device_private.pem -new -sha256 -out bootstrap_device_private_csr.pem -subj /CN=device_endpoint_name
# Sign the certificate signing request with the CA key and certificate -
OPENSSl_CONf=./hsm.conf openssl x509 -req -CAkeyform engine -engine pkcs11 -in bootstrap_device_private_csr.pem -sha256 -out bootstrap_device_cert.der -outform der -CA CA_cert2.pem -CAkey 0:10 -CAcreateserial -days 3650

But this doesn’t work. I receive the following terminal output:

der -outform der -CA CA_cert2.pem -CAkey 0:10 -CAcreateserial -days 3650
engine "pkcs11" set.
Signature ok
subject=CN = device_endpoint_name
Getting CA Private Key
Invalid slot number: 0
Invalid slot number: 0
PKCS11_get_private_key returned NULL
cannot load CA Private Key from engine
140208201277888:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:876:
140208201277888:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load CA Private Key

Any suggestions?

Hi Sven,

can you provide me with the hsm.conf you have used so that I can test it myself? Furthermore, which system, OpenSSL and OpenSC version did you use?

Kind regards
Alex

Hi Alex, Thank you very much for your answer. I changed the pin in the hsm.conf file to the default pin. Below you can find the content:

/# PKCS11 engine config
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
/# empty.

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
PIN = 648219
init = 0

Hi Sven,

a short notice that I looked at this last week for a while and that I can confirm, that there is the described problem. I do not know how to overcome this problem yet though. I am sorry. I try to look at it again these days.

Kind regards
Alex

I do this. See my repo here https://github.com/jimmypw/ca-root-scripts