how to generate x.509 certificate using PKCS11 (HSM, sobj_app)

dongyeonkim01 · ‎08-17-2021

hi.

we are building and testing lsdk 20.04 and I have a question

how to generate certificate using PKCS11??

I checked pkcs11_app, sobj_app module already but I couldn't found generate certificate

1. How do I check the private key or the public key that is the HSM key??

2. How do I generate X.509 certificate using PKCS11 API??

2-1. Alternatively, if I cannot create X.509 using the Pkcs11 API, how do I generate a X.509 certificate?

best regards

yipingwang · ‎09-08-2021

In Screenshot 1 - EC Keypair is generated with label "Device_Key"

In Screenshot 2 - Objects 4 and 5 shown are Keys with Label "Device_key33"

which is different from the keypair generated

-I think they are confusing the handle number 4 & 5 generated (as shown in

Screenshot 1) with Object 4 and Object 5 (in Screenshot 2).

-They are completely different, handle 4 & 5 are specific to sobj_app only,

Those will not be same when found from Object 4 and 5.

In Screenshot 4 & 5 - PKCS#11 engine has been configured correctly.

In Screenshot 3 - When using the same key from openssl, It is throwing

errors which is showing that the Token is not configured correctly.

-It means they have not done the steps given in

https://docs.nxp.com/bundle/GUID-487B2E69-BB19-42CB-AC38-7EF18C0FE3AE/page/G

UID-CBD773D9-CE43-4D3D-9CD4-63DE2092424F.html

-These steps are not in sequence, but on high level, token needs to be

initialized first to use the object from that token.

So you need to initialize the token and most probably it will solve your

problem.

View solution in original post

yipingwang · ‎08-24-2021

In the LSDK User Guide (e.g. version 2012). Please refers to the following

commands for certificate generation.

section 6.5.3.3.1 Secure Object Library based OpenSSL Engine

(libeng_secure_obj)

...

This section describes how to use the command line to create a self-signed certificate for "NXP Semiconductor". The key of the certificate is generated in the Secure Object HSM and will not exportable.

As per the following examples, generate a private key in the HSM with sobj_app, This will also create a fake PEM file "dev_key.pem" having information to get the required key from HSM.

Following command is generating RSA key-pair.

$: sobj_app -G -m rsa-pair -s 2048 -l "Test_Key" -i 1 -w dev_key.pem

ECDSA key-pair can also be generated using following command:

$: sobj_app -G -m ec-pair -c prime256v1 -l "ecc_256" -i 30 -w dev_key.pem

To generate a certificate with key in the Secure Object module, the

following commands can be used:

$ openssl req -new -key dev_key.pem -out req.pem -text -x509 -subj "/CN=NXP Semiconductor"

$ openssl x509 -signkey dev_key.pem -in req.pem -out cert.pem

The first command creates a self-signed Certificate for "NXP Semiconductor".

The signing is done using the key specified by the fake PEM file.

The second command creates a self-signed certificate for the request, the private key used to sign the certificate is the same private key used to create the request.

dongyeonkim01 · ‎08-29-2021

Thank you for your reply.

I have additional questions.

Testing IPSEC and TLS. A certificate will be sent during the test. A private key is required to sign.

we want generate and save private key in secure storage

but The way you suggested is to write a private key on the file and use it, which is different from what we want.
we want to create a certificate using the private key stored in the secure store.

1. How do I use my private key to sign an openssl certificate that uses pkcs?
2. How do I access my private key with pkcs?

yipingwang · ‎08-31-2021

1. How do I use my private key to sign an openssl certificate that uses pkcs?
Ans: Customer have option of integrating PKCS#11 library with p11tool which is an opensource utility which works with any PKCS#11 provider.

With this customer can generate an RSA keypair and can import already available keys and do other functions as explained in “6.5.3.1 Using PKCS#11 APIs” in LSDK20.12 User Guide PDF

Regarding Signing an openssl certificate, please refer to “6.5.3.3.2 PKCS#11 based OpenSSL Engine (Third-party OpenSC/libp11)” in LSDK20.12 User guide.

2. How do I access my private key with pkcs?
Ans: customer can access the private key using p11tool which will be using our PKCS#11 library in backend.

dongyeonkim01 · ‎08-31-2021

I tried already access private key and signing cert with p11tool library

but i got return "cannot load Private Key from engine"

yipingwang · ‎09-01-2021

Please try to get full logs from object creation using p11tool command which

is leading to the error.

Also get the logs of "openssl engine pkcs11 -t".

uboot and linux boot log will be helpful as well, just to confirm the

version of the OS and firmware.

dongyeonkim01 · ‎09-05-2021

our OS system is lsdk 20.04

and this is my process

1. generated key pair

2. check URL

3. create cert and getting error

* openssl engine pkcs11 -t

* /etc/ssl/openssl.cnf

yipingwang · ‎09-08-2021