This is to explain how to use SoftHsm before you employing HW based one.
Install on Ubuntu 22 LTS
1. Packages you may need pkg-config, autoconf-archive, libssl-dev, libttol, automake,
2. You can compile softhsm by cloning the repo from https://github.com/opendnssec/SoftHSMv2
3. Also clone https://github.com/OpenSC/libp11.git or you can do "sudo at install opensc-pkcs11"
4. Install "sudo apt install pkcs11-tool"
5. You should have /usr/lib/aarch64-linux-gnu/opensc-pkcs11.so ,
pkcs11-tool --module /PATH-TO/libsofthsm2.so -M
Configuring
My /etc/softhsm2.conf looks like below.
# SoftHSM v2 configuration file
directories.tokendir = /var/lib/softhsm/tokens/
objectstore.backend = file
# ERROR, WARNING, INFO, DEBUG
log.level = ERROR
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = ALL
# If the library should reset the state on fork
library.reset_on_fork = false
PKCS11-TOOL usage
Init token
tmarri@tiru:~/src/crypto/hsm/softhsm-2.6.1$ softhsm2-util --init-token --slot 1 --label rsa2k
=== SO PIN (4-255 characters) ===
Please enter SO PIN: ****. #1234
Please reenter SO PIN: ****
=== User PIN (4-255 characters) ===
Please enter user PIN: ****. #1234
Please reenter user PIN: ****
The token has been initialized and is reassigned to slot 1688066487
Mechanism supported:
pkcs11-tool --module /PATH-TO/libsofthsm2.so -M
List slots:
marri@tiru:~/src/crypto/hsm/softhsm-2.6.1$ softhsm2-util --show-slots
Available slots:
Slot 1688066487
Slot info:
Description: SoftHSM slot ID 0x649dd9b7
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number: d83cf3bae49dd9b7
Initialized: yes
User PIN init.: yes
Label: rsa2k
Slot 1842849688
Slot info:
Description: SoftHSM slot ID 0x6dd7a798
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number: 45a1db9eedd7a798
Initialized: yes
User PIN init.: yes
Label: Key pairs
Slot 2
Slot info:
Description: SoftHSM slot ID 0x2
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number:
Initialized: no
User PIN init.: no
Label:
Initialize the default slot which is not initialized yet
pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --init-token --slot 2 --label tiru
Reinitialize token
pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -l -p 1234 --token mytoken -O
Initialize uer PIN
pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -l -p 1234 --token mytoken -O
List objects under given token
tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -l -p 1234 --token rsa2k --list-objects
Private Key Object; EC
label: rsa2k_1
ID: 01
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Private Key Object; RSA
label: rsa2k
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Private Key Object; RSA
label:
ID: 04
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
label:
ID: 04
Usage: encrypt, verify, wrap
Access: local
Private Key Object; EC
label:
ID: 01
Usage: decrypt, sign, unwrap, derive
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441047c81112f21306d74170e17f967b917239f3ac3ba31fceac4828277f58b169bc7b1749ecce889071f8bff64fb4908975f707faaf06ccc806508e99610a4656257
EC_PARAMS: 06082a8648ce3d030107
label:
ID: 01
Usage: encrypt, verify, wrap, derive
Access: local
Private Key Object; RSA
label: tiru
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2028 bits
label: rsa2k
Usage: encrypt, verify, wrap
Access: local
Private Key Object; RSA
label: rsa2k
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2028 bits
label: rsa2k
Usage: encrypt, verify, wrap
Access: local
Public Key Object; RSA 2028 bits
label: tiru
Usage: encrypt, verify, wrap
Access: local
Private Key Object; RSA
label: tiru
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 384 bits
EC_POINT: 046104c613a092e7a1ea66a566813876c195e0cae17715c0ff6c56fb2f0b6ffe909991f43cf31bdfa2b5423c423c368a9c1431c70492d4694281021cece83e5faf734cbc43c92371903976f049ca3d212cad8e9a51d9657256b12094992aca1fcc17c3
EC_PARAMS: 06052b81040022
label: rsa2k_1
ID: 01
Usage: encrypt, verify, wrap
Access: local
Public Key Object; RSA 2028 bits
label: tiru
Usage: encrypt, verify, wrap
Access: local
Keygen
Using pkcs11-tool
tmarri@tiru:~/src/crypto/hsm/softhsm-2.6.1$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -L
Available slots:
Slot 0 (0x649dd9b7): SoftHSM slot ID 0x649dd9b7
token label : rsa2k
token manufacturer : SoftHSM project
token model : SoftHSM v2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 2.6
firmware version : 2.6
serial num : d83cf3bae49dd9b7
pin min/max : 4/255
Slot 1 (0x6dd7a798): SoftHSM slot ID 0x6dd7a798
token label : Key pairs
token manufacturer : SoftHSM project
token model : SoftHSM v2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 2.6
firmware version : 2.6
serial num : 45a1db9eedd7a798
pin min/max : 4/255
Slot 2 (0x2): SoftHSM slot ID 0x2
token state: uninitialized
Example dumping key object info for the given slot "0x649dd9b7" :
pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -O --slot 0x649dd9b7
Roles
There is User and SO role exist per slot. When ever new slot created and being initialized you will be asked to create PIN for both roles.
Keygen
tmarri@tiru:~/src/crypto/hsm/softhsm-2.6.1$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --token-label rsa2k --login --pin 1234 --keypairgen --mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp384r1 --usage-sign --label rsa2k_1 --id 1
Key pair generated:
Private Key Object; EC
label: rsa2k_1
ID: 01
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 384 bits
EC_POINT: 046104c613a092e7a1ea66a566813876c195e0cae17715c0ff6c56fb2f0b6ffe909991f43cf31bdfa2b5423c423c368a9c1431c70492d4694281021cece83e5faf734cbc43c92371903976f049ca3d212cad8e9a51d9657256b12094992aca1fcc17c3
EC_PARAMS: 06052b81040022
label: rsa2k_1
ID: 01
Usage: encrypt, verify, wrap
Access: local
Generate EC keypair
tmarri@tiru:/usr$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --login --login-type user --keypairgen --id 1 --key-type EC:prime256v1
Using slot 0 with a present token (0x649dd9b7)
Please enter User PIN: <<1234
Usage: decrypt, sign, unwrap, derive
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441047c81112f21306d74170e17f967b917239f3ac3ba31fceac4828277f58b169bc7b1749ecce889071f8bff64fb4908975f707faaf06ccc806508e99610a4656257
EC_PARAMS: 06082a8648ce3d030107
Usage: encrypt, verify, wrap, derive
Generate RSA keypair
tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --login --login-type user --keypairgen --id 4 --key-type rsa:2048
Using slot 0 with a present token (0x649dd9b7)
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
Usage: encrypt, verify, wrap
Sign using Asymmetric key
Step1: Generate hash of your file
tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --token-label rsa2k --hash --mechanism SHA256 --input-file data.txt --output-file data.hash
Using digest algorithm SHA256
Step2 : Sign the data.hash to data_ec.sign or data_rsa.sign
RSA:
tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --slot 0x649dd9b7 -m RSA-PKCS --sign --id 4 -i data.hash -o data_rsa.sig
Logging in to "rsa2k".
Please enter User PIN:
Using signature algorithm RSA-PKCS
tmarri@tiru:~/src/crypto/hsm/data$ ls -l data_rsa.sig
-rw------- 1 tmarri tmarri 256 May 5 11:24 data_rsa.sig
ECDSA:
tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --slot 0x649dd9b7 -m ECDSA --sign --id 1 -i data.txt -o data_ec.sig
Logging in to "rsa2k".
Please enter User PIN:
Using signature algorithm ECDSA
tmarri@tiru:~/src/crypto/hsm/data$ ls -l data_ec.sig
-rw------- 1 tmarri tmarri 96 May 5 11:26 data_ec.sig
Verify :
marri@tiru:~/src/crypto/hsm/data$ cat sign.sh
LIB='/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so'
LIB='/home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so'
echo test > myfile
softhsm2-util --init-token --label mytoken --free --pin 0000 --so-pin 1234
pkcs11-tool --module $LIB --token-label mytoken --login --pin 0000 --keypairgen --key-type EC:prime256v1 --usage-sign --label mykey
pkcs11-tool --module $LIB --token-label mytoken --label mykey --read-object --type pubkey --output mykey.pub
pkcs11-tool --module $LIB --token-label mytoken --hash --mechanism SHA256 --input-file myfile --output-file myfile.hash
pkcs11-tool --module $LIB --token-label mytoken --login --pin 0000 --label mykey --sign --mechanism ECDSA --signature-format openssl --input-file myfile.hash --output-file myfile.sig
openssl dgst -sha256 -verify mykey.pub -keyform DER -signature myfile.sig myfile
marri@tiru:~/src/crypto/hsm/data$ ./sign.sh
Slot 3 has a free/uninitialized token.
The token has been initialized and is reassigned to slot 298546351
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 044104aecaa2492cd3dd6f6dfdaedc1e4b07108dd61be1f6001e830954f57712613bdb38f720ba20489584d96fe212579e2641b0452777dfce8723ead583e6fd2de64b
EC_PARAMS: 06082a8648ce3d030107
Usage: encrypt, verify, wrap
Using digest algorithm SHA256
Using signature algorithm ECDSA
Integrate with Openssl
Edit sudo /etc/ssl/openssl.cnf, with following changes . You can refer to my openssl.cnf
[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/aarch64-linux-gnu/engines-3/libpkcs11.so
MODULE_PATH = /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so
init = 0
create this file structure
mkdir certs private crl csr newcerts
chmod 400 private
/home/tmarri/src/crypto/hsm/data$ find . -type d
.
./csr
./certs
./private
./crl
./newcerts
Create these two files
1. $touch index.txt
2. $echo 1000 > serial
Also make sure you modify the /etc/ssl/openssl.cnf file with apprporiate changes to
[ CA_default ]
dir = /home/tmarri/src/crypto/hsm/data # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/certs/root.ca.cert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
x509_extensions = usr_cert # The extensions to add to the cert
Create X509 certifiati using key in slot-2and rsa2k
URI : 'pkcs11:model=SoftHSM%20v2;token=rsa2k;object=rsa2k_1;pin-value=1234'
marri@tiru:~$ openssl req -engine pkcs11 -new -keyform engine -key 'pkcs11:model=SoftHSM%20v2;token=rsa2k;object=rsa2k_1;pin-value=1234' -x509 -subj "/CN=Tirumala Marri"
-----BEGIN CERTIFICATE-----
MIIBxTCCAUqgAwIBAgIUGhIL9syLPIio2Xz3s+24etWBJiEwCgYIKoZIzj0EAwIw
GTEXMBUGA1UEAwwOVGlydW1hbGEgTWFycmkwHhcNMjMwNTA0MDIyOTM1WhcNMjMw
NjAzMDIyOTM1WjAZMRcwFQYDVQQDDA5UaXJ1bWFsYSBNYXJyaTB2MBAGByqGSM49
AgEGBSuBBAAiA2IABMYToJLnoepmpWaBOHbBleDK4XcVwP9sVvsvC2/+kJmR9Dzz
G9+itUI8Qjw2ipwUMccEktRpQoECHOzoPl+vc0y8Q8kjcZA5dvBJyj0hLK2OmlHZ
ZXJWsSCUmSrKH8wXw6NTMFEwHQYDVR0OBBYEFC8Q6/Yzh9vu5Gob9BR9aItvL9Gx
MB8GA1UdIwQYMBaAFC8Q6/Yzh9vu5Gob9BR9aItvL9GxMA8GA1UdEwEB/wQFMAMB
Af8wCgYIKoZIzj0EAwIDaQAwZgIxAKgJywUNdS7tzcHp3ZmjFj/iua+Q+a2xCo5R
Y/tRpGr/9mcl16t5kLuw8zyKoRAfswIxAPTe3mpX6dXt0xz4ZMXpI5b5ucLNB6vI
OhC6Yfc57LsZOYhFCJwi9es3FTLOKJhysQ==
-----END CERTIFICATE-----
Build own CA
1. Create directory structure
1. Generate keys
2. Gerate CRT
tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -l --keypairgen --key-type rsa:4096 --id 01 --label "SSL Root CA 01"
Using slot 0 with a present token (0x11cb74af)
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 4096 bits
Usage: encrypt, verify, wrap
tmarri@tiru:~/src/crypto/hsm/data$
tmarri@tiru:~/src/crypto/hsm/data$
tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -l --keypairgen --key-type rsa:4096 --id 02 --label "SSL Root CA 01"
Using slot 0 with a present token (0x11cb74af)
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 4096 bits
Usage: encrypt, verify, wrap
Generate root CS using key 01:
openssl req -new -x509 -days 7300 -sha512 -extensions v3_ca -engine pkcs11 -keyform engine -key 298546351:01 -out certs/root.ca.cert.pem
tmarri@tiru:~/src/crypto/hsm/data$ openssl req -new -x509 -days 7300 -sha512 -extensions v3_ca -engine pkcs11 -keyform engine -key 'pkcs11:model=SoftHSM%20v2;token=mytoken;object=SSL Root CA 01;pin-value=1234' -out certs/root.ca.cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxxx
Organizational Unit Name (eg, section) []:SW
Common Name (e.g. server FQDN or YOUR name) []:Tirumala
Email Address []:xxxx@xxxx.com
tmarri@tiru:~/src/crypto/hsm/data$ openssl x509 -in certs/root.ca.cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
23:d6:08:5a:60:69:e8:8d:00:fd:6d:e1:3a:0e:e5:cd:65:d0:4a:b2
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = US, ST = California, O = Internet Widgits Pty Ltd, OU = SW, CN = Tiru, emailAddress = tiru@tiru.com
Validity
Not Before: May 12 18:56:30 2023 GMT
Not After : May 7 18:56:30 2043 GMT
Subject: C = US, ST = California, O = Internet Widgits Pty Ltd, OU = SW, CN = Tiru, emailAddress = tiru@tiru.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:b3:fc:57:ca:fa:32:c3:49:08:af:77:4d:d3:0e:
0f:c7:ce:ff:be:0e:6a:be:da:e5:1b:54:0a:2d:c3:
4a:6f:38:52:cd:57:b2:27:4f:fb:0f:c2:ef:c6:bb:
be:b0:d8:dc:40:80:57:f3:c0:25:c8:3d:38:b6:61:
32:4e:16:82:22:8a:d8:1a:cc:bf:e8:f9:e2:89:cc:
f9:d0:f4:f4:bb:bd:a1:91:ba:df:a3:d2:c0:03:df:
63:df:8b:ef:be:61:6e:a7:2e:c6:f1:33:21:e0:f0:
97:65:3a:b4:1f:a0:ee:2f:dd:ce:d3:22:7e:b0:5c:
3f:bb:5c:f9:43:fa:30:b5:b8:f6:76:f2:3e:52:15:
77:28:66:89:c8:fb:52:ae:e5:23:d9:b5:d1:12:61:
08:68:76:ef:46:a9:ae:c7:bd:81:a0:a7:24:5d:b7:
a5:3b:a4:f8:c6:b2:10:1f:19:47:7b:37:3b:2b:57:
c0:0b:87:44:e0:a4:10:fc:10:aa:9f:15:b2:f2:b4:
07:94:2e:42:a4:04:a6:09:37:bb:75:d5:00:85:a5:
64:2d:07:d7:51:4a:4b:86:fd:3c:e1:cc:c6:d9:5b:
1d:ee:78:99:bc:d2:62:6b:82:3a:df:8b:a5:b2:a9:
6a:25:4f:e1:b6:60:5c:2a:69:43:31:7a:a2:25:8b:
94:5f:33:1c:eb:21:fe:10:b6:43:ee:43:f2:ba:89:
f0:ea:f3:3a:4f:c1:29:42:52:b5:bf:4c:51:9c:cd:
84:c6:43:fd:8d:36:ee:68:6c:d7:bf:31:94:c0:f4:
ee:29:0b:02:40:17:33:f0:e3:e5:33:4b:ef:f2:f4:
91:87:14:3d:61:74:ed:55:df:12:ab:d8:ab:38:8c:
3f:89:fa:bf:f3:c3:80:7c:1a:08:6c:c6:f0:11:55:
1e:fa:88:be:b4:2a:68:96:78:83:ba:5d:90:4c:e3:
64:56:d6:a4:67:c9:90:62:af:41:07:1e:6a:ab:42:
be:10:5a:05:19:5c:d2:37:fa:f2:9e:fe:f7:11:86:
c7:36:db:e7:3a:c2:6c:db:85:31:21:ad:47:5f:d7:
f1:17:fd:75:35:cc:b6:a2:23:6e:02:b5:1c:42:01:
ce:6a:aa:20:d2:5e:1e:24:c5:2f:68:6b:63:2e:3c:
54:88:eb:98:7a:d1:90:03:25:09:17:2e:f2:4a:54:
6c:54:89:d6:4e:8e:4d:11:98:38:fd:a0:e3:a1:5f:
f4:6d:68:a8:f7:af:40:5c:9b:05:91:92:c9:1d:6f:
27:cf:9f:9a:07:de:80:68:b4:0a:b4:ed:96:7f:fb:
61:e6:50:9c:0e:28:b3:ac:04:59:14:25:1d:02:17:
03:73:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
BD:18:E1:B1:B0:E1:6B:94:9F:69:42:C1:FB:7D:23:56:CD:30:31:E6
X509v3 Authority Key Identifier:
BD:18:E1:B1:B0:E1:6B:94:9F:69:42:C1:FB:7D:23:56:CD:30:31:E6
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha512WithRSAEncryption
Signature Value:
63:a4:52:15:e4:9a:93:b2:32:80:6f:f5:29:74:37:f2:85:5f:
4d:a1:40:45:65:a1:c6:f7:7f:72:d4:47:09:87:84:81:c3:c1:
86:7f:7e:82:46:13:63:ed:05:54:2a:5f:47:a6:ca:48:5d:2d:
71:fc:bc:8e:e7:19:f8:63:1d:05:70:7a:34:de:bf:f0:38:e1:
c2:74:35:30:83:1a:fc:e4:10:c7:c2:fa:fe:fc:ab:6b:c7:e5:
0d:12:16:a1:d9:b3:14:b7:c0:25:ae:41:1f:27:53:55:52:32:
85:e7:73:f8:ab:80:be:f3:9f:66:1c:81:27:17:e4:69:51:58:
8e:e6:fa:b8:6f:2d:e9:d3:77:98:7b:3d:ea:25:8a:16:41:3a:
11:3e:83:88:36:c9:2b:d3:7f:bc:c2:c2:62:29:d9:05:bd:66:
50:3d:81:9a:b8:04:e8:c9:92:04:84:ac:1f:41:ba:b6:11:94:
07:98:b1:aa:01:e7:97:3d:d3:df:62:fa:3e:62:6f:98:66:b0:
dd:1d:11:c3:38:d9:5b:bf:ec:30:09:e3:8c:e9:51:62:19:00:
43:83:16:e8:1b:86:e5:19:4d:14:96:87:cf:c5:f4:94:be:f0:
98:24:2d:72:de:5d:ec:2f:75:f2:f8:7d:b8:33:3a:f9:8e:51:
08:c4:54:1e:39:3c:43:9b:9e:e7:2b:f5:09:17:4d:4c:82:1d:
e1:53:62:5e:dc:61:e8:40:dc:03:84:9b:2b:40:43:98:e9:9d:
78:bb:a9:74:38:f8:9b:44:f0:8f:8f:d8:c4:4f:b7:27:b2:07:
86:d2:dc:45:a1:b5:bf:47:fd:71:eb:35:06:99:e4:38:c9:e8:
1b:12:54:db:05:b2:52:ea:63:a8:a9:72:18:15:97:a0:93:0c:
ec:2f:b4:a0:8a:31:77:64:e4:3b:43:04:ce:b4:86:d1:73:dc:
25:82:0a:b1:b6:ec:99:72:02:48:97:bb:6a:a2:d9:5f:f2:6d:
5a:d7:68:f7:21:a5:d3:83:f6:fb:bb:aa:e3:06:78:3e:8d:1c:
50:79:5e:65:10:7f:d8:19:bf:af:59:33:18:3a:34:3c:49:22:
57:bf:8f:9f:07:d9:21:3c:8d:82:c2:d2:17:f7:21:ba:ca:95:
1f:61:0b:0b:27:0f:00:03:87:12:7a:bf:b5:37:27:f7:3e:85:
54:fd:f2:0a:d7:dd:eb:6e:c0:7f:c4:a0:33:6d:43:5a:8d:45:
d9:48:1b:fa:9b:e0:7d:e0:ac:5b:f0:38:d9:e8:73:a9:f1:f6:
fc:c4:9f:c5:65:4d:28:5d:26:14:11:61:46:61:72:30:3e:50:
78:f0:66:75:a8:cd:46:78
Create secondary cert with second key
tmarri@tiru:~/src/crypto/hsm/data$ openssl req -engine pkcs11 -keyform engine -key 298546351:02 -new -sha512 -out csr/issue.ca.csr
Engine "pkcs11" set.
Enter PKCS#11 token PIN for mytoken:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
California [California]:
Saratoga []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:SW
Common Name (e.g. server FQDN or YOUR name) []:Tiru
Email Address []:tiru@tiru.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:
tmarri@tiru:~/src/crypto/hsm/data$ openssl ca -engine pkcs11 -keyform engine -keyfile 298546351:01 -extensions v3_intermediate_ca -days 3650 -notext -md sha512 -in csr/issue.ca.csr -out certs/issue.ca.cert.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter PKCS#11 token PIN for mytoken:
Check that the request matches the signature
Serial Number: 4096 (0x1000)
Not Before: May 12 19:41:54 2023 GMT
Not After : May 9 19:41:54 2033 GMT
stateOrProvinceName = California
organizationName = Internet Widgits Pty Ltd
organizationalUnitName = SW
emailAddress = tiru@tiru.com
X509v3 Subject Key Identifier:
33:D2:7A:9B:39:2D:9D:47:4F:19:40:91:D6:B0:58:EE:77:44:D1:8B
X509v3 Authority Key Identifier:
BD:18:E1:B1:B0:E1:6B:94:9F:69:42:C1:FB:7D:23:56:CD:30:31:E6
X509v3 Basic Constraints: critical
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until May 9 19:41:54 2033 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
combine cert chain & verify
tmarri@tiru:~/src/crypto/hsm/data$ cat certs/issue.ca.cert.pem certs/root.ca.cert.pem > certs/spki.cert.pem
tmarri@tiru:~/src/crypto/hsm/data$ openssl x509 -in certs/spki.cert.pem -noout -text
Serial Number: 4096 (0x1000)
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = US, ST = California, O = Internet Widgits Pty Ltd, OU = SW, CN = Tiru, emailAddress = tiru@tiru.com
Not Before: May 12 19:41:54 2023 GMT
Not After : May 9 19:41:54 2033 GMT
Subject: C = US, ST = California, O = Internet Widgits Pty Ltd, OU = SW, CN = Tiru, emailAddress = tiru@tiru.com
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
00:9f:23:5b:fb:6c:66:b4:ec:72:ec:a5:ed:69:ba:
92:d5:78:34:47:d8:13:f8:0b:09:7b:ed:0f:2b:1a:
-------------
p11tool list all certs
marri@tiru:~/src/crypto/hsm/data$ p11tool --provider /usr/local/lib/softhsm/libsofthsm2.so --list-all
warning: no token URL was provided for this operation; the available tokens are:
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=d83cf3bae49dd9b7;token=rsa2k
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=45a1db9eedd7a798;token=Key%20pairs
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=a70324c3fd3e0fc4;token=tiru
tmarri@tiru:~/src/crypto/hsm/data$ p11tool --provider /usr/local/lib/softhsm/libsofthsm2.so --list-all 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken'
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%01;object=mytoken;type=cert
Type: X.509 Certificate (RSA-4096)
Expires: Tue May 5 13:35:14 2043
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%01;object=mytoken;type=cert
Type: X.509 Certificate (RSA-4096)
Expires: Tue May 5 13:35:14 2043
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%01;object=mytoken;type=cert
Type: X.509 Certificate (RSA-4096)
Expires: Tue May 5 13:35:14 2043
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%01;object=SSL%20Root%20CA%2001;type=public
Type: Public key (RSA-4096)
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%02;object=SSL%20Root%20CA%2001;type=public
Type: Public key (RSA-4096)
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;type=cert
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%01;object=mytoken;type=cert
Type: X.509 Certificate (RSA-4096)
Expires: Tue May 5 13:35:14 2043
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;
pkcs11-tool -l --pin '1234' --module /usr/local/lib/softhsm/libsofthsm2.so --write-object certs/root.ca.cert.pem --type cert --label mytoken
List private objects with p11tool:
tmarri@tiru:~/src/crypto/hsm/data$ p11tool --provider /usr/local/lib/softhsm/libsofthsm2.so --list-tokens
Token 0:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken
Label: mytoken
Type: Generic token
Flags: RNG, Requires login
Manufacturer: SoftHSM project
Model: SoftHSM v2
Serial: b654d88b91cb74af
Module:
Token 1:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=d83cf3bae49dd9b7;token=rsa2k
Label: rsa2k
Type: Generic token
Flags: RNG, Requires login
Manufacturer: SoftHSM project
Model: SoftHSM v2
Serial: d83cf3bae49dd9b7
Module:
Token 2:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=45a1db9eedd7a798;token=Key%20pairs
Label: Key pairs
Type: Generic token
Flags: RNG, Requires login
Manufacturer: SoftHSM project
Model: SoftHSM v2
Serial: 45a1db9eedd7a798
Module:
Token 3:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=a70324c3fd3e0fc4;token=tiru
Label: tiru
Type: Generic token
Flags: RNG, Requires login, uPIN uninitialized
Manufacturer: SoftHSM project
Model: SoftHSM v2
Serial: a70324c3fd3e0fc4
Module:
p11tool --provider /usr/local/lib/softhsm/libsofthsm2.so --login --list-all 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken'
Useful Links