summaryrefslogtreecommitdiff
path: root/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs
diff options
context:
space:
mode:
Diffstat (limited to 'config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs')
-rw-r--r--config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs507
1 files changed, 507 insertions, 0 deletions
diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs
new file mode 100644
index 0000000..a627ad9
--- /dev/null
+++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs
@@ -0,0 +1,507 @@
1pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root
2or
3pkcs11-tool -l --keypairgen --key-type EC:secp256r1 --label root
4pkcs11-tool -l --keypairgen --key-type rsa:4096 --label root
5
6pki_dir=/opt/certificate-authority
7mkdir $pki_dir
8cd $pki_dir
9mkdir certs config crl newcerts intermediate intermediate/certs intermediate/crl intermediate/csr intermediate/newcerts
10touch index.txt intermediate/index.txt
11cd config
12
13# Arch Linux
14pacman -S community/opensc community/libp11
15
16# Ubuntu
17sudo apt-get install opensc gnutls-bin
18
19# Generate private key on HSM
20$ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root
21Using slot 0 with a present token (0x0)
22Logging in to "SmartCard-HSM (UserPIN)".
23Please enter User PIN:
24Key pair generated:
25Private Key Object; EC
26 label: root
27 ID: e0161cc8b6f5d66ac6835ecdecb623fc0506a675
28 Usage: sign, derive
29 Access: none
30Public Key Object; EC EC_POINT 384 bits
31 EC_POINT: 046104c1e7b40e1ef9e5d47399aeeda695026c9eb626462059eb696e8f2b647b42d64ac3b7fc7a5b31aa3edf9bce46b2cdcf8e5d190b13601d3d14ffb119c8cf60033c6b78ba579b85113ca536eef1cf85ba418ff0110a56ec881b329e0562e090a3e7
32 EC_PARAMS: 06052b81040022
33 label: root
34 ID: e0161cc8b6f5d66ac6835ecdecb623fc0506a675
35 Usage: verify, derive
36 Access: none
37
38
39#to get the id
40pkcs11-tool -O
41
42vim create_root_cert.ini
43[ ca ]
44# `man ca`
45default_ca = CA_default
46
47[ CA_default ]
48# Directory and file locations.
49dir = /opt/certificate-authority
50certs = $dir/certs
51crl_dir = $dir/crl
52new_certs_dir = $dir/newcerts
53database = $dir/index.txt
54serial = $dir/serial
55
56# SHA-1 is deprecated, so use SHA-2 instead.
57default_md = sha512
58
59name_opt = ca_default
60cert_opt = ca_default
61default_days = 375
62preserve = no
63policy = policy_strict
64
65[ policy_strict ]
66# The root CA should only sign intermediate certificates that match.
67# See the POLICY FORMAT section of `man ca`.
68countryName = match
69stateOrProvinceName = match
70organizationName = match
71organizationalUnitName = optional
72commonName = supplied
73emailAddress = optional
74
75[ req ]
76# Options for the `req` tool (`man req`).
77default_bits = 4096
78distinguished_name = req_distinguished_name
79string_mask = utf8only
80prompt = no
81
82# SHA-1 is deprecated, so use SHA-2 instead.
83default_md = sha512
84
85[ req_distinguished_name ]
86C = <two lettter country>
87ST = <full state name>
88O = <your company>
89OU = <your company> Certificate Authority
90CN = <your company> Root CA
91
92[ v3_ca ]
93# Extensions for a typical CA (`man x509v3_config`).
94subjectKeyIdentifier = hash
95authorityKeyIdentifier = keyid:always,issuer
96basicConstraints = critical, CA:true
97keyUsage = critical, digitalSignature, cRLSign, keyCertSign
98
99
100#Generate the self-signed public certificate from the private key. Use the private key id value from earlier.
101$ openssl req -config create_root_cert.ini -engine pkcs11 -keyform engine -key e0161cc8b6f5d66ac6835ecdecb623fc0506a675 -new -x509 -days 3650 -sha512 -extensions v3_ca -out ../certs/root.crt
102engine "pkcs11" set.
103Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
104
105#verify stuff matches
106$ openssl x509 -noout -text -in ../certs/root.crt
107Certificate:
108 Data:
109 Version: 3 (0x2)
110 Serial Number:
111 25:ac:e1:36:75:67:26:1d:bb:96:4b:84:c2:2d:83:25:7b:cc:e0:e5
112 Signature Algorithm: ecdsa-with-SHA512
113 Issuer: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA
114 Validity
115 Not Before: Aug 18 20:13:20 2020 GMT
116 Not After : Aug 16 20:13:20 2030 GMT
117 Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA
118 Subject Public Key Info:
119 Public Key Algorithm: id-ecPublicKey
120 Public-Key: (384 bit)
121 pub:
122 04:c1:e7:b4:0e:1e:f9:e5:d4:73:99:ae:ed:a6:95:
123 02:6c:9e:b6:26:46:20:59:eb:69:6e:8f:2b:64:7b:
124 42:d6:4a:c3:b7:fc:7a:5b:31:aa:3e:df:9b:ce:46:
125 b2:cd:cf:8e:5d:19:0b:13:60:1d:3d:14:ff:b1:19:
126 c8:cf:60:03:3c:6b:78:ba:57:9b:85:11:3c:a5:36:
127 ee:f1:cf:85:ba:41:8f:f0:11:0a:56:ec:88:1b:32:
128 9e:05:62:e0:90:a3:e7
129 ASN1 OID: secp384r1
130 NIST CURVE: P-384
131 X509v3 extensions:
132 X509v3 Subject Key Identifier:
133 F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
134 X509v3 Authority Key Identifier:
135 keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
136
137 X509v3 Basic Constraints: critical
138 CA:TRUE
139 X509v3 Key Usage: critical
140 Digital Signature, Certificate Sign, CRL Sign
141 Signature Algorithm: ecdsa-with-SHA512
142 30:64:02:30:53:b8:b6:5a:41:4b:4f:6a:d1:a6:76:88:df:13:
143 d6:da:c7:48:aa:8b:aa:ff:13:6c:d1:00:53:90:92:b5:71:57:
144 eb:d0:bf:3e:5d:2e:62:c0:3e:40:0f:64:25:a5:92:0f:02:30:
145 15:0a:19:d5:a2:09:86:d8:9d:07:67:71:c3:84:f2:6b:90:20:
146 2d:29:10:9e:4c:73:7a:55:56:4b:dc:fe:8d:3f:f0:9c:20:e1:
147 5a:74:fb:41:86:ad:a4:66:61:74:d7:fd
148
149
150
151
152intermediate authority
153
154# Generate private key on HSM
155$ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label intermediate
156Using slot 0 with a present token (0x0)
157Logging in to "SmartCard-HSM (UserPIN)".
158Please enter User PIN:
159Key pair generated:
160Private Key Object; EC
161 label: intermediate
162 ID: bcb48fe9b566ae61891aabbfde6a23d4ff3ab639
163 Usage: sign, derive
164 Access: none
165Public Key Object; EC EC_POINT 384 bits
166 EC_POINT: 046104d0fb5c0cd10c0b6e4d0f6986755824b624ec9fcd8ff9ae5f0109fe6ff3ad887ca760717da894f3ff84dc8c24fe8c93b0cd840a6aa941bb2866c061cef60e47b893d71852b50d6762af10c951426e55ec8925a6cd83aeae1730311108afdbcdee
167 EC_PARAMS: 06052b81040022
168 label: intermediate
169 ID: bcb48fe9b566ae61891aabbfde6a23d4ff3ab639
170 Usage: verify, derive
171 Access: none
172
173pkcs11-tool -O
174
175vim create_intermediate_csr.ini
176
177[ req ]
178# Options for the `req` tool (`man req`).
179default_bits = 4096
180distinguished_name = req_distinguished_name
181string_mask = utf8only
182prompt = no
183
184# SHA-1 is deprecated, so use SHA-2 instead.
185[ v3_ca ]
186# Extensions for a typical CA (`man x509v3_config`).
187subjectKeyIdentifier = hash
188authorityKeyIdentifier = keyid:always,issuer
189basicConstraints = critical, CA:true
190keyUsage = critical, digitalSignature, cRLSign, keyCertSign
191default_md = sha512
192
193[ req_distinguished_name ]
194C = <two lettter country>
195ST = <full state name>
196O = <your company>
197OU = <your company> Certificate Authority
198CN = <your company> Intermediate CA
199
200#generate csr
201$ openssl req -config create_intermediate_csr.ini -engine pkcs11 -keyform engine -key bcb48fe9b566ae61891aabbfde6a23d4ff3ab639 -new -sha512 -out ../intermediate/csr/intermediate.csr
202engine "pkcs11" set.
203Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
204
205
206$ openssl req -text -noout -verify -in ../intermediate/csr/intermediate.csr
207verify OK
208Certificate Request:
209 Data:
210 Version: 1 (0x0)
211 Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA
212 Subject Public Key Info:
213 Public Key Algorithm: id-ecPublicKey
214 Public-Key: (384 bit)
215 pub:
216 04:d0:fb:5c:0c:d1:0c:0b:6e:4d:0f:69:86:75:58:
217 24:b6:24:ec:9f:cd:8f:f9:ae:5f:01:09:fe:6f:f3:
218 ad:88:7c:a7:60:71:7d:a8:94:f3:ff:84:dc:8c:24:
219 fe:8c:93:b0:cd:84:0a:6a:a9:41:bb:28:66:c0:61:
220 ce:f6:0e:47:b8:93:d7:18:52:b5:0d:67:62:af:10:
221 c9:51:42:6e:55:ec:89:25:a6:cd:83:ae:ae:17:30:
222 31:11:08:af:db:cd:ee
223 ASN1 OID: secp384r1
224 NIST CURVE: P-384
225 Attributes:
226 a0:00
227 Signature Algorithm: ecdsa-with-SHA512
228 30:64:02:30:6a:1d:75:8b:59:99:2c:a8:5d:a0:7f:02:7d:9a:
229 aa:40:74:7a:65:20:03:6b:bc:65:fb:7d:d1:7f:5b:24:ae:6f:
230 40:16:ac:82:0b:80:9b:81:f9:d9:64:ea:0f:41:4c:d7:02:30:
231 4d:28:7f:e3:76:52:c7:10:e1:bd:b7:2e:ea:65:78:41:0c:96:
232 50:5f:e9:1f:be:18:ac:14:ba:65:3f:b0:2a:f4:0f:d0:56:ab:
233 d0:8c:bf:d0:92:9e:f6:e5:f6:8a:af:a5
234
235
236find the fully qualified PKCS#11 URI for your private key, this is an example
237pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private
238
239$ p11tool --list-all
240warning: no token URL was provided for this operation; the available tokens are:
241
242pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00
243
244$ p11tool --login --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00
245Token 'SmartCard-HSM (UserPIN)' with URL 'pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00' requires user PIN
246Enter PIN:
247Object 0:
248 URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private
249 Type: Private key (EC/ECDSA-SECP384R1)
250 Label: root
251 Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
252 ID: e0:16:1c:c8:b6:f5:d6:6a:c6:83:5e:cd:ec:b6:23:fc:05:06:a6:75
253
254Object 1:
255 URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=public
256 Type: Public key (EC/ECDSA-SECP384R1)
257 Label: root
258 ID: e0:16:1c:c8:b6:f5:d6:6a:c6:83:5e:cd:ec:b6:23:fc:05:06:a6:75
259
260Object 2:
261 URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=private
262 Type: Private key (EC/ECDSA-SECP384R1)
263 Label: intermediate
264 Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
265 ID: bc:b4:8f:e9:b5:66:ae:61:89:1a:ab:bf:de:6a:23:d4:ff:3a:b6:39
266
267Object 3:
268 URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=public
269 Type: Public key (EC/ECDSA-SECP384R1)
270 Label: intermediate
271 ID: bc:b4:8f:e9:b5:66:ae:61:89:1a:ab:bf:de:6a:23:d4:ff:3a:b6:39
272
273
274vim sign_intermediate_csr.ini
275
276[ ca ]
277# `man ca`
278default_ca = CA_default
279
280[ CA_default ]
281# Directory and file locations.
282dir = /opt/certificate-authority
283certs = $dir/certs
284crl_dir = $dir/crl
285new_certs_dir = $dir/newcerts
286database = $dir/index.txt
287serial = $dir/serial
288
289# The root key and root certificate.
290private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private
291certificate = ../certs/root.crt
292
293# SHA-1 is deprecated, so use SHA-2 instead.
294default_md = sha512
295
296name_opt = ca_default
297cert_opt = ca_default
298default_days = 375
299preserve = no
300policy = policy_loose
301
302[ policy_loose ]
303# Allow the intermediate CA to sign a more diverse range of certificates.
304# See the POLICY FORMAT section of the `ca` man page.
305countryName = optional
306stateOrProvinceName = optional
307localityName = optional
308organizationName = optional
309organizationalUnitName = optional
310commonName = supplied
311emailAddress = optional
312
313[ v3_intermediate_ca ]
314# Extensions for a typical intermediate CA (`man x509v3_config`).
315subjectKeyIdentifier = hash
316authorityKeyIdentifier = keyid:always,issuer
317basicConstraints = critical, CA:true, pathlen:0
318keyUsage = critical, digitalSignature, cRLSign, keyCertSign
319
320
321sign intermediate with root
322$ openssl ca -config sign_intermediate_csr.ini -engine pkcs11 -keyform engine -extensions v3_intermediate_ca -days 1825 -notext -md sha512 -create_serial -in ../intermediate/csr/intermediate.csr -out ../intermediate/certs/intermediate.crt
323engine "pkcs11" set.
324Using configuration from sign_intermediate_csr.ini
325Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
326Check that the request matches the signature
327Signature ok
328Certificate Details:
329 Serial Number:
330 35:47:4d:05:12:cc:e1:a8:b6:bf:dd:3e:c8:29:7b:18:c0:a1:5c:68
331 Validity
332 Not Before: Aug 18 20:44:17 2020 GMT
333 Not After : Aug 17 20:44:17 2025 GMT
334 Subject:
335 countryName = US
336 stateOrProvinceName = My State
337 organizationName = My Company
338 organizationalUnitName = My Company Certificate Authority
339 commonName = My Company Intermediate CA
340 X509v3 extensions:
341 X509v3 Subject Key Identifier:
342 1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82
343 X509v3 Authority Key Identifier:
344 keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
345
346 X509v3 Basic Constraints: critical
347 CA:TRUE, pathlen:0
348 X509v3 Key Usage: critical
349 Digital Signature, Certificate Sign, CRL Sign
350Certificate is to be certified until Aug 17 20:44:17 2025 GMT (1825 days)
351Sign the certificate? [y/n]:y
352
353
3541 out of 1 certificate requests certified, commit? [y/n]y
355Write out database with 1 new entries
356Data Base Updated
357
358# to verify
359$ openssl x509 -noout -text -in ../intermediate/certs/intermediate.crt
360Certificate:
361 Data:
362 Version: 3 (0x2)
363 Serial Number:
364 35:47:4d:05:12:cc:e1:a8:b6:bf:dd:3e:c8:29:7b:18:c0:a1:5c:68
365 Signature Algorithm: ecdsa-with-SHA512
366 Issuer: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA
367 Validity
368 Not Before: Aug 18 20:44:17 2020 GMT
369 Not After : Aug 17 20:44:17 2025 GMT
370 Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA
371 Subject Public Key Info:
372 Public Key Algorithm: id-ecPublicKey
373 Public-Key: (384 bit)
374 pub:
375 04:d0:fb:5c:0c:d1:0c:0b:6e:4d:0f:69:86:75:58:
376 24:b6:24:ec:9f:cd:8f:f9:ae:5f:01:09:fe:6f:f3:
377 ad:88:7c:a7:60:71:7d:a8:94:f3:ff:84:dc:8c:24:
378 fe:8c:93:b0:cd:84:0a:6a:a9:41:bb:28:66:c0:61:
379 ce:f6:0e:47:b8:93:d7:18:52:b5:0d:67:62:af:10:
380 c9:51:42:6e:55:ec:89:25:a6:cd:83:ae:ae:17:30:
381 31:11:08:af:db:cd:ee
382 ASN1 OID: secp384r1
383 NIST CURVE: P-384
384 X509v3 extensions:
385 X509v3 Subject Key Identifier:
386 1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82
387 X509v3 Authority Key Identifier:
388 keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
389
390 X509v3 Basic Constraints: critical
391 CA:TRUE, pathlen:0
392 X509v3 Key Usage: critical
393 Digital Signature, Certificate Sign, CRL Sign
394 Signature Algorithm: ecdsa-with-SHA512
395 30:66:02:31:00:9a:6e:08:d2:d6:3a:29:f6:ba:0c:4c:3a:f4:
396 af:40:5e:e0:71:f2:bc:e4:47:f5:b4:ee:10:d7:27:b1:25:0b:
397 4b:09:78:a1:b8:f2:b8:71:c5:4e:41:33:8e:64:db:ec:eb:02:
398 31:00:fc:39:26:c2:ad:7b:3c:ab:75:06:34:02:47:79:40:31:
399 1d:eb:17:ad:32:10:67:97:37:6f:7f:3c:ce:3e:12:3c:e9:7c:
400 fa:43:3e:34:5d:5e:f4:f3:2f:fd:6a:2f:14:da
401
402
403$ openssl verify -CAfile ../certs/root.crt ../intermediate/certs/intermediate.crt
404../intermediate/certs/intermediate.crt: OK
405
406#certificate chain
407cat ../intermediate/certs/intermediate.crt ../certs/root.crt > ../intermediate/certs/chain.crt
408
409####################setup ca done, to use the private key of the intermediate certificate to sign the CSRs of your servers
410
411vim sign_server_csrs.ini
412
413[ ca ]
414# `man ca`
415default_ca = CA_default
416
417[ CA_default ]
418# Directory and file locations.
419dir = /opt/certificate-authority/intermediate
420certs = $dir/certs
421crl_dir = $dir/crl
422new_certs_dir = $dir/newcerts
423database = $dir/index.txt
424serial = $dir/serial
425
426# The root key and root certificate.
427private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=private
428certificate = $dir/certs/intermediate.crt
429
430# SHA-1 is deprecated, so use SHA-2 instead.
431default_md = sha512
432
433name_opt = ca_default
434cert_opt = ca_default
435default_days = 375
436preserve = no
437policy = policy_loose
438
439[ policy_loose ]
440# Allow the intermediate CA to sign a more diverse range of certificates.
441# See the POLICY FORMAT section of the `ca` man page.
442countryName = optional
443stateOrProvinceName = optional
444localityName = optional
445organizationName = optional
446organizationalUnitName = optional
447commonName = supplied
448emailAddress = optional
449
450[ server_cert ]
451# Extensions for server certificates (`man x509v3_config`).
452basicConstraints = CA:FALSE
453nsCertType = server
454nsComment = "OpenSSL Generated Server Certificate"
455subjectKeyIdentifier = hash
456authorityKeyIdentifier = keyid,issuer:always
457keyUsage = critical, digitalSignature, keyEncipherment
458extendedKeyUsage = serverAuth
459
460
461$ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server_cert.csr -out server_cert.crt
462engine "pkcs11" set.
463Using configuration from sign_server_csrs.ini
464Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
465Check that the request matches the signature
466Signature ok
467Certificate Details:
468 Serial Number:
469 40:7f:dc:90:b0:3a:1b:fb:d3:e2:74:8d:40:28:a8:12:f7:7e:c3:74
470 Validity
471 Not Before: Aug 18 21:32:42 2020 GMT
472 Not After : Aug 28 21:32:42 2021 GMT
473 Subject:
474 countryName = US
475 stateOrProvinceName = My State
476 organizationName = My Company
477 organizationalUnitName = media
478 commonName = media
479 X509v3 extensions:
480 X509v3 Basic Constraints:
481 CA:FALSE
482 Netscape Cert Type:
483 SSL Server
484 Netscape Comment:
485 OpenSSL Generated Server Certificate
486 X509v3 Subject Key Identifier:
487 26:89:19:95:6C:93:8C:DD:6E:AA:61:D5:C0:E6:78:CC:F1:47:64:FC
488 X509v3 Authority Key Identifier:
489 keyid:1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82
490 DirName:/C=US/ST=My State/O=My Company/OU=My Company Certificate Authority/CN=My Company Root CA
491 serial:35:47:4D:05:12:CC:E1:A8:B6:BF:DD:3E:C8:29:7B:18:C0:A1:5C:68
492
493 X509v3 Key Usage: critical
494 Digital Signature, Key Encipherment
495 X509v3 Extended Key Usage:
496 TLS Web Server Authentication
497Certificate is to be certified until Aug 28 21:32:42 2021 GMT (375 days)
498Sign the certificate? [y/n]:y
499
500
5011 out of 1 certificate requests certified, commit? [y/n]y
502Write out database with 1 new entries
503Data Base Updated
504
505
506https://docs.nitrokey.com/nitrokeys/features/openpgp-card/certificate-authority
507there is older document that may not be the same but it looks the same
generated by cgit (git 2.34.1) at 2026-02-20 02:50:41 +0000