sudo apt install pcscd pcsc-tools opensc openssl gnutls-bin sudo dnf install -y opensc openssl openssl-pkcs11 yubico-piv-tool yubikey-manager usbutils gnutls-utils #try this first. then sc-hsm-tool and pkcs11-tool. sudo dnf install -y pcsc-lite pcsc-lite-ccid sudo systemctl start pcscd sudo systemctl enable pcscd sudo opensc-tool -l so-pin 3537363231383830 userpin 648219 7535439178124602 pkcs11-tool --login --login-type so --so-pin 1234123412341234 --change-pin --new-pin 3537363231383830 opensc-tool -l # to list devices sc-hsm-tool -X -r 1 # -r is device number. to reset the device, you need so pin and userpin sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 -r 1 ykman piv reset #reset yubikey piv find / -name opensc-pkcs11.so TESTING BEFORE OPERATION ubuntu ONLY UBUNTU PKCS11 WORKS TO DISPLAY ALL THE REQUIRED DATA AND PASSES ALL TESTS pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --test /usr/lib64/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so on fedora pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --list-objects OPENSSL_CONF=./hsm.conf openssl engine the following should be printed for openssl (dynamic) Dynamic engine loading support (pkcs11) pkcs11 engine DOCUMNETATION FOR CA + nginx pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 03 --label "serverkey" openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:serial=DENK0302043;object=serverkey;type=private;pin-value=648219" -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com" -out server.csr openssl req -text -noout -verify -in server.csr # to verify the certificate openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server.csr -out server.crt openssl x509 -in server.crt -text -noout | grep -A 1 "Extended Key Usage" # output web server authentication 010203040506070801020304050607080102030405060708 yubikey manageemnt, normal key 123456 brew install gnutls yubico-piv-tool -a generate -s 9a -k -A RSA2048 -o yubi_pubkey.pem yubico-piv-tool -a verify-pin -a request-certificate -s 9a -i yubi_pubkey.pem -S '/CN=hii Usenamer/O=Example Corp/C=US/' -o yubi.csr openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in yubi.csr -out yubi.crt openssl x509 -in yubi.crt -text -noout | grep -A 1 "Extended Key Usage" # output web client authentication cp yubi.crt yubi.crt.pem yubico-piv-tool -a import-certificate -s 9a -k -i yubi.crt.pem -K PEM p11tool --list-tokens curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer' https://127.0.0.1 -k curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1 -k can do curl -v xxxxxxxx as well for more verbose. openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2" openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in client.csr -out client.crt openssl x509 -in client.crt -text -noout | grep -A 1 "Extended Key Usage" # output web client authentication curl https://127.0.0.1 --cacert ../../intermediate/certs/chain.crt --cert client.crt --key client.key -k STILL WILL HAVE ERROR BECAUSE URL REQUEST IS 127.0.0.1, if this is a public domain, curl checks the url in the cert and the requested url and if they both match, there should be no error when curling without -k openssl version -d # to find the default config file dir copy hsm.conf to the directory sudo nano /lib/systemd/system/nginx.service add this to under service Environment=LANG=C Environment="OPENSSL_CONF=/usr/lib/ssl/hsm.conf" sudo systemctl daemon-reload pkcs15-tool --list-info to get the serial number value of the device for the key p11tool --list-all p11tool --login --list-all pkcs11:model= ssl_engine pkcs11; # put this after events section, before http. ssl_certificate /home/x/auths2/config/signing_area/server_cert.crt; ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0302043;object=serverkey;type=private"; ssl_client_certificate /home/x/auths2/intermediate/certs/chain.crt; ssl_verify_client on; cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt curl -X POST http://127.0.0.1/generate_verification -k curl -X POST -d "verify=wrIFRSJZ" -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/verify -k curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/check?string=wrIFRSJZ -k #change the check to not require authentication https://www.entrust.com/sites/default/files/documentation/integration-guides/nginx-server-nhield-v12-60-11_ig.pdf https://docs.nitrokey.com/hsm/linux/certificate-authority https://github.com/OpenSC/libp11/blob/5c99a1467e624981181ada75f41315cd1cf13e37/src/eng_parse.c ^ is the pkcs uri for openssl -key DOCUMNETATION FOR CA + nginx END yubico yubico-piv-tool -a unblock-pin -P 12345678 -N 123456 123456 pin default 12345678 pin unlock key default 010203040506070801020304050607080102030405060708 management key default ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so user@ip #then enter the userpin for yubikey should work openssl dgst -engine pkcs11 -keyform engine -sha256 -sign "pkcs11:id=%01" -out signature.bin txt openssl dgst -engine pkcs11 -keyform engine -sha256 -verify "pkcs11:id=%01" -signature signature.bin txt openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 01 -signature signature.bin txt #sign should work as well pkcs15-tool --read-public-key 01 > pubkey openssl dgst -sha256 -verify pubkey -signature signature.bin txt openssl genrsa -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/CN=Root CA" openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr -subj "/CN=Client" openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256 openssl verify -CAfile rootCA.pem client.crt #$client.crt: OK untested pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -L #list yubico-piv-tool -astatus #list pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so --slot-index 1 --login --pin 648219 --list-objects generate the key pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 01 --label "foo" sign the file and create an output pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --id 01 --input-file --output-file pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --label "foo" --input-file --output-file pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --id 01 --input-file --signature-file pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --label "foo" --input-file --signature-file # Example test command sequence echo "Test data" > testdata.txt pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type privkey --sign -i testdata.txt -o signeddata.bin pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type pubkey --verify -i testdata.txt -s signeddata.bin pkcs11-tool --module $MODULE --login --pin YOUR_PIN --list-objects