You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface. It is being developed as a part of the OpenDNSSEC project. In this blog, i use softhsm to generate key pairs and use libp11 to make it was able to used by openssl.
In this case, we create two rsa keypairs in one softhsm slot, also you can let the issue ca to use another slot.
Requirements
openssl 1.1.1
softhsm2
libp11
pkcs11-tool
0x00 prepare the env
All operations are done on Ubuntu 18.04, how to install those tools would not be described here. also suppose you already have the basics of ca. if not, Jamie provide a good tutorial in this part.
enable pkcs11 engine for openssl.cnf
here is the example to enable pkcs11 engine for openssl .
~/Desktop/ca/test$ openssl req -new -x509 -days 7300 -sha512 -extensions v3_ca -engine pkcs11 -keyform engine -key 696976398:01 -out certs/root.ca.cert.pem
engine "pkcs11" set.
Enter PKCS#11 token PIN for sofunny:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JS
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PP
Organizational Unit Name (eg, section) []:GP
Common Name (e.g. server FQDN or YOUR name) []:SPKI SSL ROOT CA 01
Email Address []:test@test.com
~/Desktop/ca/test$ openssl req -engine pkcs11 -keyform engine -key 696976398:02 -new -sha512 -out csr/issue.ca.csr
engine "pkcs11" set.
Enter PKCS#11 token PIN for sofunny:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JS
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PP
Organizational Unit Name (eg, section) []:GP
Common Name (e.g. server FQDN or YOUR name) []:SPKI SSL ISSUE CA 01
Email Address []:test@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
~/Desktop/ca/test$ touch index.txt
~/Desktop/ca/test$ echo 1000 > serial
~/Desktop/ca/test$ openssl ca -engine pkcs11 -keyform engine -keyfile 696976398:01 -extensions v3_intermediate_ca -days 3650 -notext -md sha512 -in csr/issue.ca.csr -out certs/issue.ca.cert.pem
engine "pkcs11" set.
Using configuration from /usr/lib/ssl/openssl.cnf
Enter PKCS#11 token PIN for sofunny:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Dec 12 14:01:12 2020 GMT
Not After : Dec 10 14:01:12 2030 GMT
Subject:
countryName = CN
stateOrProvinceName = JS
organizationName = PP
organizationalUnitName = GP
commonName = SPKI SSL ISSUE CA 01
emailAddress = test@test.com
X509v3 extensions:
X509v3 Subject Key Identifier:
0B:F7:31:43:FC:7A:0A:4C:63:C4:C7:CB:BC:CC:40:50:E7:F1:ED:74
X509v3 Authority Key Identifier:
keyid:F1:76:ED:83:0E:B7:C5:6F:03:97:FF:4D:C1:2A:8E:B3:23:83:C6:CB
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Dec 10 14:01:12 2030 GMT (3650 days)
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
~/Desktop/ca/test$ openssl genrsa -aes256 -out private/www.example.com.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................+++++
.....................................................................................................................................+++++
e is 65537 (0x010001)
140392395130176:error:260BC097:engine routines:int_engine_configure:invalid init value:../crypto/engine/eng_cnf.c:121:
Enter pass phrase for private/www.example.com.key.pem:
Verifying - Enter pass phrase for private/www.example.com.key.pem:
~/Desktop/ca/test$ openssl req -key private/www.example.com.key.pem -new -sha256 -out csr/www.example.com.csr.pem
Enter pass phrase for private/www.example.com.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JS
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PP
Organizational Unit Name (eg, section) []:GP
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:admin@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
in this case, i created a ssl certs for www.example.com. but i am not the owner of this domain, so just modified /etc/hosts file, and add this line 127.0.0.1 www.example.com
0x07 Conclusion
As for now, you already create a internal CA, also include SSL cert. it's enough for the interanl usage. and in this case , the main purpose is to use softhsm to store the private key , as you can see in this blog. you can create a key pairs with never extracted properties which it was stored in softhsm. softhsm is only a softhsm implement of HSM , the better way is to use real HSM in your production env. personally , i think it's enough for many case.
Intro
SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface. It is being developed as a part of the OpenDNSSEC project. In this blog, i use softhsm to generate key pairs and use libp11 to make it was able to used by openssl.
In this case, we create two rsa keypairs in one softhsm slot, also you can let the issue ca to use another slot.
Requirements
0x00 prepare the env
All operations are done on Ubuntu 18.04, how to install those tools would not be described here. also suppose you already have the basics of ca. if not, Jamie provide a good tutorial in this part.
here is the example to enable pkcs11 engine for openssl .
also you can get this config file here and put them to the right place. Before replace them ,you need have bakup.
openssl.cnf
ssl.openssl.cnf
also, you need create some folder and files depends on the configuration.
here is my folder structure
0x01 init slots & init keys
Here is the terminal output
you can change the key length, id & label by yourself. in this case, we use
id:01
for the root ca andid:02
for issue ca.Here is the terminal output
0x02 create root ca certs
Here is the terminal output
openssl x509 -in certs/root.ca.cert.pem -noout -text
0x03 create issue ca certs
Here is the terminal output
Here is the terminal output
Here is the terminal output
cat certs/issue.ca.cert.pem certs/root.ca.cert.pem > certs/spki.cert.pem openssl x509 -in certs/spki.cert.pem -noout -text
0x04 create ssl certs
Don't forget to cahnge permission for private folder. eg.
chmod 400 private
Here is the terminal output
Here is the terminal output
Here is the terminal output
Here is the terminal output
0x05 install CA Certs to Host
in this case, i put those cert in my ubuntu 18.04
it's enough to non-interactive usage. but fot some web browser, maybe you still need to trust it manually. here is the example for firefox
0x06 write test code
cat certs/www.example.com.cert.pem certs/issue.ca.cert.pem certs/root.ca.cert.pem > combine.pem
0x07 Conclusion
As for now, you already create a internal CA, also include SSL cert. it's enough for the interanl usage. and in this case , the main purpose is to use softhsm to store the private key , as you can see in this blog. you can create a key pairs with never extracted properties which it was stored in softhsm. softhsm is only a softhsm implement of HSM , the better way is to use real HSM in your production env. personally , i think it's enough for many case.
0x08 Resources
The text was updated successfully, but these errors were encountered: