summaryrefslogtreecommitdiff
path: root/config_files/nitrohsm-ca-docs-complete-and-very-messy
diff options
context:
space:
mode:
authorhc <hc@email.ch>2024-11-20 12:51:33 +0800
committerhc <hc@email.ch>2024-11-20 12:51:33 +0800
commit853b82126baa1e8e408a10f91053c52626ffad29 (patch)
tree2fc1de9695810681ba654aab3c2a4867aacc1ac7 /config_files/nitrohsm-ca-docs-complete-and-very-messy
parentb1f88b682624e85b4b743343dfaaeed113b69413 (diff)
working
Diffstat (limited to 'config_files/nitrohsm-ca-docs-complete-and-very-messy')
-rw-r--r--config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action147
-rw-r--r--config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs507
2 files changed, 654 insertions, 0 deletions
diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action
new file mode 100644
index 0000000..562ebf5
--- /dev/null
+++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action
@@ -0,0 +1,147 @@
+
+sudo apt install pcscd pcsc-tools opensc openssl gnutls-bin
+sudo dnf install -y opensc openssl openssl-pkcs11 yubico-piv-tool yubikey-manager usbutils gnutls-utils #try this first. then sc-hsm-tool and pkcs11-tool.
+sudo dnf install -y pcsc-lite pcsc-lite-ccid
+sudo systemctl start pcscd
+sudo systemctl enable pcscd
+sudo opensc-tool -l
+
+so-pin 3537363231383830
+userpin 648219
+
+7535439178124602
+
+pkcs11-tool --login --login-type so --so-pin 1234123412341234 --change-pin --new-pin 3537363231383830
+opensc-tool -l # to list devices
+sc-hsm-tool -X -r 1 # -r is device number. to reset the device, you need so pin and userpin
+sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 -r 1
+ykman piv reset #reset yubikey piv
+
+find / -name opensc-pkcs11.so
+
+TESTING BEFORE OPERATION
+ ubuntu ONLY UBUNTU PKCS11 WORKS TO DISPLAY ALL THE REQUIRED DATA AND PASSES ALL TESTS
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --test
+/usr/lib64/opensc-pkcs11.so
+/usr/lib64/pkcs11/opensc-pkcs11.so on fedora
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --list-objects
+OPENSSL_CONF=./hsm.conf openssl engine
+the following should be printed for openssl
+(dynamic) Dynamic engine loading support
+(pkcs11) pkcs11 engine
+
+
+DOCUMNETATION FOR CA + nginx
+
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 03 --label "serverkey"
+openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:serial=DENK0302043;object=serverkey;type=private;pin-value=648219" -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com" -out server.csr
+ openssl req -text -noout -verify -in server.csr # to verify the certificate
+openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server.csr -out server.crt
+openssl x509 -in server.crt -text -noout | grep -A 1 "Extended Key Usage" # output web server authentication
+
+010203040506070801020304050607080102030405060708 yubikey manageemnt, normal key 123456
+brew install gnutls
+yubico-piv-tool -a generate -s 9a -k -A RSA2048 -o yubi_pubkey.pem
+yubico-piv-tool -a verify-pin -a request-certificate -s 9a -i yubi_pubkey.pem -S '/CN=hii Usenamer/O=Example Corp/C=US/' -o yubi.csr
+openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in yubi.csr -out yubi.crt
+openssl x509 -in yubi.crt -text -noout | grep -A 1 "Extended Key Usage" # output web client authentication
+cp yubi.crt yubi.crt.pem
+yubico-piv-tool -a import-certificate -s 9a -k -i yubi.crt.pem -K PEM
+p11tool --list-tokens
+curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer' https://127.0.0.1 -k
+curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1 -k
+can do curl -v xxxxxxxx as well for more verbose.
+
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2"
+openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in client.csr -out client.crt
+openssl x509 -in client.crt -text -noout | grep -A 1 "Extended Key Usage" # output web client authentication
+curl https://127.0.0.1 --cacert ../../intermediate/certs/chain.crt --cert client.crt --key client.key -k
+
+STILL WILL HAVE ERROR BECAUSE URL REQUEST IS 127.0.0.1, if this is a public domain, curl checks the url in the cert and the requested url and if they both match, there should be no error when curling without -k
+
+openssl version -d # to find the default config file dir
+copy hsm.conf to the directory
+sudo nano /lib/systemd/system/nginx.service
+ add this to under service
+Environment=LANG=C
+Environment="OPENSSL_CONF=/usr/lib/ssl/hsm.conf"
+sudo systemctl daemon-reload
+
+pkcs15-tool --list-info
+ to get the serial number value of the device for the key
+p11tool --list-all
+p11tool --login --list-all pkcs11:model=
+
+ssl_engine pkcs11; # put this after events section, before http.
+ ssl_certificate /home/x/auths2/config/signing_area/server_cert.crt;
+ ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0302043;object=serverkey;type=private";
+ ssl_client_certificate /home/x/auths2/intermediate/certs/chain.crt;
+ ssl_verify_client on;
+
+cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt
+
+curl -X POST http://127.0.0.1/generate_verification -k
+curl -X POST -d "verify=wrIFRSJZ" -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/verify -k
+curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/check?string=wrIFRSJZ -k
+
+#change the check to not require authentication
+
+https://www.entrust.com/sites/default/files/documentation/integration-guides/nginx-server-nhield-v12-60-11_ig.pdf
+https://docs.nitrokey.com/hsm/linux/certificate-authority
+https://github.com/OpenSC/libp11/blob/5c99a1467e624981181ada75f41315cd1cf13e37/src/eng_parse.c
+ ^ is the pkcs uri for openssl -key
+
+DOCUMNETATION FOR CA + nginx END
+
+
+ yubico
+yubico-piv-tool -a unblock-pin -P 12345678 -N 123456
+123456 pin default
+12345678 pin unlock key default
+010203040506070801020304050607080102030405060708 management key default
+ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so user@ip #then enter the userpin for yubikey
+
+
+should work
+openssl dgst -engine pkcs11 -keyform engine -sha256 -sign "pkcs11:id=%01" -out signature.bin txt
+openssl dgst -engine pkcs11 -keyform engine -sha256 -verify "pkcs11:id=%01" -signature signature.bin txt
+openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 01 -signature signature.bin txt #sign should work as well
+pkcs15-tool --read-public-key 01 > pubkey
+openssl dgst -sha256 -verify pubkey -signature signature.bin txt
+
+
+openssl genrsa -out rootCA.key 2048
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/CN=Root CA"
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -out client.csr -subj "/CN=Client"
+openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256
+openssl verify -CAfile rootCA.pem client.crt
+#$client.crt: OK
+
+
+untested
+pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -L #list
+yubico-piv-tool -astatus #list
+pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so --slot-index 1 --login --pin 648219 --list-objects
+
+
+ generate the key
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 01 --label "foo"
+
+ sign the file and create an output
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --id 01 --input-file <input-file> --output-file <signature-file>
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --label "foo" --input-file <input-file> --output-file <signature-file>
+
+
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --id 01 --input-file <input-file> --signature-file <signature-file>
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --label "foo" --input-file <input-file> --signature-file <signature-file>
+
+# Example test command sequence
+echo "Test data" > testdata.txt
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type privkey --sign -i testdata.txt -o signeddata.bin
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type pubkey --verify -i testdata.txt -s signeddata.bin
+
+
+pkcs11-tool --module $MODULE --login --pin YOUR_PIN --list-objects
+
diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs
new file mode 100644
index 0000000..a627ad9
--- /dev/null
+++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs
@@ -0,0 +1,507 @@
+pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root
+or
+pkcs11-tool -l --keypairgen --key-type EC:secp256r1 --label root
+pkcs11-tool -l --keypairgen --key-type rsa:4096 --label root
+
+pki_dir=/opt/certificate-authority
+mkdir $pki_dir
+cd $pki_dir
+mkdir certs config crl newcerts intermediate intermediate/certs intermediate/crl intermediate/csr intermediate/newcerts
+touch index.txt intermediate/index.txt
+cd config
+
+# Arch Linux
+pacman -S community/opensc community/libp11
+
+# Ubuntu
+sudo apt-get install opensc gnutls-bin
+
+# Generate private key on HSM
+$ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root
+Using slot 0 with a present token (0x0)
+Logging in to "SmartCard-HSM (UserPIN)".
+Please enter User PIN:
+Key pair generated:
+Private Key Object; EC
+ label: root
+ ID: e0161cc8b6f5d66ac6835ecdecb623fc0506a675
+ Usage: sign, derive
+ Access: none
+Public Key Object; EC EC_POINT 384 bits
+ EC_POINT: 046104c1e7b40e1ef9e5d47399aeeda695026c9eb626462059eb696e8f2b647b42d64ac3b7fc7a5b31aa3edf9bce46b2cdcf8e5d190b13601d3d14ffb119c8cf60033c6b78ba579b85113ca536eef1cf85ba418ff0110a56ec881b329e0562e090a3e7
+ EC_PARAMS: 06052b81040022
+ label: root
+ ID: e0161cc8b6f5d66ac6835ecdecb623fc0506a675
+ Usage: verify, derive
+ Access: none
+
+
+#to get the id
+pkcs11-tool -O
+
+vim create_root_cert.ini
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir = /opt/certificate-authority
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha512
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 375
+preserve = no
+policy = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 4096
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+prompt = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha512
+
+[ req_distinguished_name ]
+C = <two lettter country>
+ST = <full state name>
+O = <your company>
+OU = <your company> Certificate Authority
+CN = <your company> Root CA
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+
+#Generate the self-signed public certificate from the private key. Use the private key id value from earlier.
+$ openssl req -config create_root_cert.ini -engine pkcs11 -keyform engine -key e0161cc8b6f5d66ac6835ecdecb623fc0506a675 -new -x509 -days 3650 -sha512 -extensions v3_ca -out ../certs/root.crt
+engine "pkcs11" set.
+Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
+
+#verify stuff matches
+$ openssl x509 -noout -text -in ../certs/root.crt
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 25:ac:e1:36:75:67:26:1d:bb:96:4b:84:c2:2d:83:25:7b:cc:e0:e5
+ Signature Algorithm: ecdsa-with-SHA512
+ Issuer: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA
+ Validity
+ Not Before: Aug 18 20:13:20 2020 GMT
+ Not After : Aug 16 20:13:20 2030 GMT
+ Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA
+ Subject Public Key Info:
+ Public Key Algorithm: id-ecPublicKey
+ Public-Key: (384 bit)
+ pub:
+ 04:c1:e7:b4:0e:1e:f9:e5:d4:73:99:ae:ed:a6:95:
+ 02:6c:9e:b6:26:46:20:59:eb:69:6e:8f:2b:64:7b:
+ 42:d6:4a:c3:b7:fc:7a:5b:31:aa:3e:df:9b:ce:46:
+ b2:cd:cf:8e:5d:19:0b:13:60:1d:3d:14:ff:b1:19:
+ c8:cf:60:03:3c:6b:78:ba:57:9b:85:11:3c:a5:36:
+ ee:f1:cf:85:ba:41:8f:f0:11:0a:56:ec:88:1b:32:
+ 9e:05:62:e0:90:a3:e7
+ ASN1 OID: secp384r1
+ NIST CURVE: P-384
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
+ X509v3 Authority Key Identifier:
+ keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+ Signature Algorithm: ecdsa-with-SHA512
+ 30:64:02:30:53:b8:b6:5a:41:4b:4f:6a:d1:a6:76:88:df:13:
+ d6:da:c7:48:aa:8b:aa:ff:13:6c:d1:00:53:90:92:b5:71:57:
+ eb:d0:bf:3e:5d:2e:62:c0:3e:40:0f:64:25:a5:92:0f:02:30:
+ 15:0a:19:d5:a2:09:86:d8:9d:07:67:71:c3:84:f2:6b:90:20:
+ 2d:29:10:9e:4c:73:7a:55:56:4b:dc:fe:8d:3f:f0:9c:20:e1:
+ 5a:74:fb:41:86:ad:a4:66:61:74:d7:fd
+
+
+
+
+intermediate authority
+
+# Generate private key on HSM
+$ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label intermediate
+Using slot 0 with a present token (0x0)
+Logging in to "SmartCard-HSM (UserPIN)".
+Please enter User PIN:
+Key pair generated:
+Private Key Object; EC
+ label: intermediate
+ ID: bcb48fe9b566ae61891aabbfde6a23d4ff3ab639
+ Usage: sign, derive
+ Access: none
+Public Key Object; EC EC_POINT 384 bits
+ EC_POINT: 046104d0fb5c0cd10c0b6e4d0f6986755824b624ec9fcd8ff9ae5f0109fe6ff3ad887ca760717da894f3ff84dc8c24fe8c93b0cd840a6aa941bb2866c061cef60e47b893d71852b50d6762af10c951426e55ec8925a6cd83aeae1730311108afdbcdee
+ EC_PARAMS: 06052b81040022
+ label: intermediate
+ ID: bcb48fe9b566ae61891aabbfde6a23d4ff3ab639
+ Usage: verify, derive
+ Access: none
+
+pkcs11-tool -O
+
+vim create_intermediate_csr.ini
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 4096
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+prompt = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+default_md = sha512
+
+[ req_distinguished_name ]
+C = <two lettter country>
+ST = <full state name>
+O = <your company>
+OU = <your company> Certificate Authority
+CN = <your company> Intermediate CA
+
+#generate csr
+$ openssl req -config create_intermediate_csr.ini -engine pkcs11 -keyform engine -key bcb48fe9b566ae61891aabbfde6a23d4ff3ab639 -new -sha512 -out ../intermediate/csr/intermediate.csr
+engine "pkcs11" set.
+Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
+
+
+$ openssl req -text -noout -verify -in ../intermediate/csr/intermediate.csr
+verify OK
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA
+ Subject Public Key Info:
+ Public Key Algorithm: id-ecPublicKey
+ Public-Key: (384 bit)
+ pub:
+ 04:d0:fb:5c:0c:d1:0c:0b:6e:4d:0f:69:86:75:58:
+ 24:b6:24:ec:9f:cd:8f:f9:ae:5f:01:09:fe:6f:f3:
+ ad:88:7c:a7:60:71:7d:a8:94:f3:ff:84:dc:8c:24:
+ fe:8c:93:b0:cd:84:0a:6a:a9:41:bb:28:66:c0:61:
+ ce:f6:0e:47:b8:93:d7:18:52:b5:0d:67:62:af:10:
+ c9:51:42:6e:55:ec:89:25:a6:cd:83:ae:ae:17:30:
+ 31:11:08:af:db:cd:ee
+ ASN1 OID: secp384r1
+ NIST CURVE: P-384
+ Attributes:
+ a0:00
+ Signature Algorithm: ecdsa-with-SHA512
+ 30:64:02:30:6a:1d:75:8b:59:99:2c:a8:5d:a0:7f:02:7d:9a:
+ aa:40:74:7a:65:20:03:6b:bc:65:fb:7d:d1:7f:5b:24:ae:6f:
+ 40:16:ac:82:0b:80:9b:81:f9:d9:64:ea:0f:41:4c:d7:02:30:
+ 4d:28:7f:e3:76:52:c7:10:e1:bd:b7:2e:ea:65:78:41:0c:96:
+ 50:5f:e9:1f:be:18:ac:14:ba:65:3f:b0:2a:f4:0f:d0:56:ab:
+ d0:8c:bf:d0:92:9e:f6:e5:f6:8a:af:a5
+
+
+find the fully qualified PKCS#11 URI for your private key, this is an example
+pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private
+
+$ p11tool --list-all
+warning: no token URL was provided for this operation; the available tokens are:
+
+pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00
+
+$ p11tool --login --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00
+Token 'SmartCard-HSM (UserPIN)' with URL 'pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00' requires user PIN
+Enter PIN:
+Object 0:
+ URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private
+ Type: Private key (EC/ECDSA-SECP384R1)
+ Label: root
+ Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
+ ID: e0:16:1c:c8:b6:f5:d6:6a:c6:83:5e:cd:ec:b6:23:fc:05:06:a6:75
+
+Object 1:
+ URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=public
+ Type: Public key (EC/ECDSA-SECP384R1)
+ Label: root
+ ID: e0:16:1c:c8:b6:f5:d6:6a:c6:83:5e:cd:ec:b6:23:fc:05:06:a6:75
+
+Object 2:
+ URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=private
+ Type: Private key (EC/ECDSA-SECP384R1)
+ Label: intermediate
+ Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
+ ID: bc:b4:8f:e9:b5:66:ae:61:89:1a:ab:bf:de:6a:23:d4:ff:3a:b6:39
+
+Object 3:
+ URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=public
+ Type: Public key (EC/ECDSA-SECP384R1)
+ Label: intermediate
+ ID: bc:b4:8f:e9:b5:66:ae:61:89:1a:ab:bf:de:6a:23:d4:ff:3a:b6:39
+
+
+vim sign_intermediate_csr.ini
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir = /opt/certificate-authority
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+
+# The root key and root certificate.
+private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private
+certificate = ../certs/root.crt
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha512
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 375
+preserve = no
+policy = policy_loose
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+
+sign intermediate with root
+$ openssl ca -config sign_intermediate_csr.ini -engine pkcs11 -keyform engine -extensions v3_intermediate_ca -days 1825 -notext -md sha512 -create_serial -in ../intermediate/csr/intermediate.csr -out ../intermediate/certs/intermediate.crt
+engine "pkcs11" set.
+Using configuration from sign_intermediate_csr.ini
+Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
+Check that the request matches the signature
+Signature ok
+Certificate Details:
+ Serial Number:
+ 35:47:4d:05:12:cc:e1:a8:b6:bf:dd:3e:c8:29:7b:18:c0:a1:5c:68
+ Validity
+ Not Before: Aug 18 20:44:17 2020 GMT
+ Not After : Aug 17 20:44:17 2025 GMT
+ Subject:
+ countryName = US
+ stateOrProvinceName = My State
+ organizationName = My Company
+ organizationalUnitName = My Company Certificate Authority
+ commonName = My Company Intermediate CA
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82
+ X509v3 Authority Key Identifier:
+ keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE, pathlen:0
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+Certificate is to be certified until Aug 17 20:44:17 2025 GMT (1825 days)
+Sign the certificate? [y/n]:y
+
+
+1 out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+
+# to verify
+$ openssl x509 -noout -text -in ../intermediate/certs/intermediate.crt
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 35:47:4d:05:12:cc:e1:a8:b6:bf:dd:3e:c8:29:7b:18:c0:a1:5c:68
+ Signature Algorithm: ecdsa-with-SHA512
+ Issuer: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA
+ Validity
+ Not Before: Aug 18 20:44:17 2020 GMT
+ Not After : Aug 17 20:44:17 2025 GMT
+ Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA
+ Subject Public Key Info:
+ Public Key Algorithm: id-ecPublicKey
+ Public-Key: (384 bit)
+ pub:
+ 04:d0:fb:5c:0c:d1:0c:0b:6e:4d:0f:69:86:75:58:
+ 24:b6:24:ec:9f:cd:8f:f9:ae:5f:01:09:fe:6f:f3:
+ ad:88:7c:a7:60:71:7d:a8:94:f3:ff:84:dc:8c:24:
+ fe:8c:93:b0:cd:84:0a:6a:a9:41:bb:28:66:c0:61:
+ ce:f6:0e:47:b8:93:d7:18:52:b5:0d:67:62:af:10:
+ c9:51:42:6e:55:ec:89:25:a6:cd:83:ae:ae:17:30:
+ 31:11:08:af:db:cd:ee
+ ASN1 OID: secp384r1
+ NIST CURVE: P-384
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82
+ X509v3 Authority Key Identifier:
+ keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE, pathlen:0
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+ Signature Algorithm: ecdsa-with-SHA512
+ 30:66:02:31:00:9a:6e:08:d2:d6:3a:29:f6:ba:0c:4c:3a:f4:
+ af:40:5e:e0:71:f2:bc:e4:47:f5:b4:ee:10:d7:27:b1:25:0b:
+ 4b:09:78:a1:b8:f2:b8:71:c5:4e:41:33:8e:64:db:ec:eb:02:
+ 31:00:fc:39:26:c2:ad:7b:3c:ab:75:06:34:02:47:79:40:31:
+ 1d:eb:17:ad:32:10:67:97:37:6f:7f:3c:ce:3e:12:3c:e9:7c:
+ fa:43:3e:34:5d:5e:f4:f3:2f:fd:6a:2f:14:da
+
+
+$ openssl verify -CAfile ../certs/root.crt ../intermediate/certs/intermediate.crt
+../intermediate/certs/intermediate.crt: OK
+
+#certificate chain
+cat ../intermediate/certs/intermediate.crt ../certs/root.crt > ../intermediate/certs/chain.crt
+
+####################setup ca done, to use the private key of the intermediate certificate to sign the CSRs of your servers
+
+vim sign_server_csrs.ini
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir = /opt/certificate-authority/intermediate
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+
+# The root key and root certificate.
+private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=private
+certificate = $dir/certs/intermediate.crt
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha512
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 375
+preserve = no
+policy = policy_loose
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+
+$ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server_cert.csr -out server_cert.crt
+engine "pkcs11" set.
+Using configuration from sign_server_csrs.ini
+Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
+Check that the request matches the signature
+Signature ok
+Certificate Details:
+ Serial Number:
+ 40:7f:dc:90:b0:3a:1b:fb:d3:e2:74:8d:40:28:a8:12:f7:7e:c3:74
+ Validity
+ Not Before: Aug 18 21:32:42 2020 GMT
+ Not After : Aug 28 21:32:42 2021 GMT
+ Subject:
+ countryName = US
+ stateOrProvinceName = My State
+ organizationName = My Company
+ organizationalUnitName = media
+ commonName = media
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Cert Type:
+ SSL Server
+ Netscape Comment:
+ OpenSSL Generated Server Certificate
+ X509v3 Subject Key Identifier:
+ 26:89:19:95:6C:93:8C:DD:6E:AA:61:D5:C0:E6:78:CC:F1:47:64:FC
+ X509v3 Authority Key Identifier:
+ keyid:1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82
+ DirName:/C=US/ST=My State/O=My Company/OU=My Company Certificate Authority/CN=My Company Root CA
+ serial:35:47:4D:05:12:CC:E1:A8:B6:BF:DD:3E:C8:29:7B:18:C0:A1:5C:68
+
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication
+Certificate is to be certified until Aug 28 21:32:42 2021 GMT (375 days)
+Sign the certificate? [y/n]:y
+
+
+1 out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+
+
+https://docs.nitrokey.com/nitrokeys/features/openpgp-card/certificate-authority
+there is older document that may not be the same but it looks the same
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-12-26 07:15:37 +0000