Self signed certificate authority: pkcs11 engine and openssl

Hi all,

I wan’t to use the Nitrokey HSM module to sign a self sign certificate with a self signed certificate authority. Below you can find the procedure that I’ve followed:

#Create self signed CA certificate (server certificate)

Create private key -

pkcs11-tool --module opensc-pkcs11.so -l --keypairgen --key-type EC:prime256v1 --id 10 --label "CA_private2"

Self-sign private key -

OPENSSL_CONF=./hsm.conf openssl req -engine pkcs11 -keyform engine -new -key 0:10 -sha256 -x509 -days 12775 -out CA_cert2.pem -subj /CN=CA -config <(echo '[req]'; echo 'distinguished_name=dn'; echo '[dn]'; echo '[ext]'; echo 'basicConstraints=CA:TRUE') -extensions ext

Creating device certificates

Create private key -

openssl ecparam -out bootstrap_device_private.pem -name prime256v1 -genkey

Convert private key to DER format -

openssl ec -in bootstrap_device_private.pem -out bootstrap_device_private.der -outform der

Create a certificate signing request for the private key -

openssl req -key bootstrap_device_private.pem -new -sha256 -out bootstrap_device_private_csr.pem -subj /CN=device_endpoint_name
# Sign the certificate signing request with the CA key and certificate -
OPENSSl_CONf=./hsm.conf openssl x509 -req -CAkeyform engine -engine pkcs11 -in bootstrap_device_private_csr.pem -sha256 -out bootstrap_device_cert.der -outform der -CA CA_cert2.pem -CAkey 0:10 -CAcreateserial -days 3650

But this doesn’t work. I receive the following terminal output:

der -outform der -CA CA_cert2.pem -CAkey 0:10 -CAcreateserial -days 3650
engine "pkcs11" set.
Signature ok
subject=CN = device_endpoint_name
Getting CA Private Key
Invalid slot number: 0
Invalid slot number: 0
PKCS11_get_private_key returned NULL
cannot load CA Private Key from engine
140208201277888:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:876:
140208201277888:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load CA Private Key

Any suggestions?

Hi Sven,

can you provide me with the hsm.conf you have used so that I can test it myself? Furthermore, which system, OpenSSL and OpenSC version did you use?

Kind regards
Alex

Hi Alex, Thank you very much for your answer. I changed the pin in the hsm.conf file to the default pin. Below you can find the content:

/# PKCS11 engine config
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
/# empty.

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
PIN = 648219
init = 0

Hi Sven,

a short notice that I looked at this last week for a while and that I can confirm, that there is the described problem. I do not know how to overcome this problem yet though. I am sorry. I try to look at it again these days.

Kind regards
Alex

I do this. See my repo here https://github.com/jimmypw/ca-root-scripts

Hi Alex and Jimmypw,

Thank you for your answers!
@Jimmypw: I’m not a software developer so I’m a bit confused about your answer; Do I need to rebuild the sourcecode of something or do I need to replace some files?

Thank you for your answer!

Kind regards,
Sven

Hi!

The repository @jimmypw has linked provides a self-building package with the scripts for making the self-signed certificate via OpenSSL. The scripts can be used directly as well, if your OS is not RPM based (e.g. Fedora, RHEL, Centos etc.), though with manual work required. For the content please look at the following paths:

This one contains the default configuration:

I have just stumbled in the documentation on https://github.com/sektioneins/micro-ca-tool. Would that help?

I wrote these scripts because I had some pretty specialized requirements. If you are not a coder and would like a point and click interface I would highly recommend the xca tool https://hohnstaedt.de/xca/.

1 Like

Hi,

Thank you for your answers. Now I’m starting to understand it :). The git repository contains scripts, that I can use to obtain the same result? So I suppose that I just need to clone the git repo to my Ubuntu machine and execute a bash script and pipe some variables?

I’m a newbie in bash scripting :). I just don’t understand how and which variables I need to pass to your script to obtain the same result?

Thank you!

Best regards,
Sven

Hi!

All variables are set here:

and loaded by all the Bash scripts. To use it as a stand-alone scripts set, I think it would be best to copy all files to one directory, and change all paths to the config file to load from the local directory, where needed. The XCA looks like a good GUI as well, though I have not used it myself.

If you will be giving my scripts a go you will also need two dependencies


and

You can get by without sha2wordlist and comment out the relevant lines but the serialgen binary is used to create non-sequential serial numbers for resulting certificates.

I should probably package this up properly at some point if there is interest. Maybe this weekend if you can wait?

Hi Jimmypw,

Thanks a lot for all the help and information. I will try if I can make them work this afternoon :). I’ll let you know if it worked :).

Hi Jimmypw,

I’m unable to use the make files on ubuntu? Any suggestions about how to install it with the necessary dependencys?

Thank you!

By the way, maybe a stupid question :). What’s wrong with using my command:
OPENSSl_CONf=./hsm.conf openssl x509 -req -CAkeyform engine -engine pkcs11 -in bootstrap_device_private_csr.pem -sha256 -out bootstrap_device_cert.der -outform der -CA CA_cert2.pem -CAkey 0:10 -CAcreateserial -days 3650

is there a bug in openssl or in opensc?