Hi all, I wan't to use the Nitrokey HSM module to sign a self sign certificate with a self signed certificate authority. Below you can find the procedure that I've followed: #Create self signed CA certificate (server certificate) Create private key - pkcs11-tool -module opensc-pkcs11.so -l -keypairgen -key-type EC:prime256v1 -id 10 -label 'CAprivate2' Self-sign private key - OPENSSL. Configure PKCS11 Engine. I will not discuss the operating system part of getting PKCS11 devices to work in this article. But basically you just need to install some packages, you can read about it here. First of all we need to configure OpenSSL to talk to your PKCS11 device. This can be done from configuration or interactively on the command line.
OpenSSL PKCS#11 Engine
Engine_pkcs11 is an implementation of an engine for OpenSSL. It can beloaded using code, a configuration file, or the command line and passesany function call by openssl to a PKCS#11 module. Engine_pkcs11 ismeant to be used with smart cards and software for using smart cards inPKCS#11 format, such as OpenSC. Originally, this engine was part ofOpenSC until OpenSC was split into several small projects to improveflexibility.
There is no official package available for openSUSE Leap 15.2Distributions
openSUSE Tumbleweed
SUSE SLE-11 SP 4
Unsupported distributions
openSUSE:11.4
openSUSE:12.1
openSUSE:12.2
openSUSE:12.3
openSUSE:13.1
openSUSE:13.2
openSUSE:Leap:42.1
openSUSE:Leap:42.2
Pkcs11 Windows 10
openSUSE:Leap:42.3
openSUSE:11.1
SUSE:SLE-12:SLE-Module-Toolchain
SUSE:SLE-11:SP3
DISCONTINUED:openSUSE:11.1
If you buy a new code signing certificate from SwissSign, you must generate a CSR using a hardware HSM which stores your private key inaccessibly. Unfortunately, this is a new requirement and pure soft certificates (all secrets in a file) are no more allowed.
Fortunately, the SuisseID is such a valid HSM. It can easily be used in your Ubuntu Linux MinGW cross build environment to sign your executables.
Sign CSR With SuisseID Private Key
You need the engine file, in current Ubuntu, this is /usr/lib/ssl/engines/libpkcs11.so from package libengine-pkcs11-openssl, the PKCS#11 library, which is /usr/lib/libcvP11.so provided by SwissSign in package suisseid-pkcs11. You also need pkcs11-tool from package opensc and openssl from package openssl. For code signing, you need osslsigncode from package osslsigncode. Your SuisseID must be initialized using SuisseID Assistant name swisssign-init from package swisssign-init.
If you haven't run the SuisseID installer, you can also add the SwissSign repository manually:
Install the dependencies:
If you haven't initialized your SuisseID, do it now. You should have received a TIN / PUK Sheet from SwissSign with the transport PIN (TIN). Run swisssign-init and follow the instructions. Set a PIN, that you will need below.
Compile osslsigncode
Unfortunately, as of July 2018, the version of osslsigncode delivered in Ubuntu 16.04 is of the latest version 1.7.1, but still does not support the options -pkcs11engine and -pkcs11module. So I had to compile my own version of osslsigncode:
Find Key ID
Get a list of all objects in your SuisseID:
This shows all objects found on your SuisseID smart card (which is your HSM), e.g.:
You need the ID of the key with label SwissSign_digSig, here 00903c80c138a20f4b92625a25550a6503273537.
OpenSSL Configuration
SUSE SLE-11 SP 4
Unsupported distributions
openSUSE:11.4
openSUSE:12.1
openSUSE:12.2
openSUSE:12.3
openSUSE:13.1
openSUSE:13.2
openSUSE:Leap:42.1
openSUSE:Leap:42.2
Pkcs11 Windows 10
openSUSE:Leap:42.3
openSUSE:11.1
SUSE:SLE-12:SLE-Module-Toolchain
SUSE:SLE-11:SP3
DISCONTINUED:openSUSE:11.1
If you buy a new code signing certificate from SwissSign, you must generate a CSR using a hardware HSM which stores your private key inaccessibly. Unfortunately, this is a new requirement and pure soft certificates (all secrets in a file) are no more allowed.
Fortunately, the SuisseID is such a valid HSM. It can easily be used in your Ubuntu Linux MinGW cross build environment to sign your executables.
Sign CSR With SuisseID Private Key
You need the engine file, in current Ubuntu, this is /usr/lib/ssl/engines/libpkcs11.so from package libengine-pkcs11-openssl, the PKCS#11 library, which is /usr/lib/libcvP11.so provided by SwissSign in package suisseid-pkcs11. You also need pkcs11-tool from package opensc and openssl from package openssl. For code signing, you need osslsigncode from package osslsigncode. Your SuisseID must be initialized using SuisseID Assistant name swisssign-init from package swisssign-init.
If you haven't run the SuisseID installer, you can also add the SwissSign repository manually:
Install the dependencies:
If you haven't initialized your SuisseID, do it now. You should have received a TIN / PUK Sheet from SwissSign with the transport PIN (TIN). Run swisssign-init and follow the instructions. Set a PIN, that you will need below.
Compile osslsigncode
Unfortunately, as of July 2018, the version of osslsigncode delivered in Ubuntu 16.04 is of the latest version 1.7.1, but still does not support the options -pkcs11engine and -pkcs11module. So I had to compile my own version of osslsigncode:
Find Key ID
Get a list of all objects in your SuisseID:
This shows all objects found on your SuisseID smart card (which is your HSM), e.g.:
You need the ID of the key with label SwissSign_digSig, here 00903c80c138a20f4b92625a25550a6503273537.
OpenSSL Configuration
You need am openssl configurate file engine.conf:
Generate CSR
Now you have all puzzle pieces to generate the HSM-signed CSR required for getting your SwissSign code signing certificate. Do not forget to plug in your USB SuisseID:
It asks for your PIN and a common name. The comon name will be overwritten in the SwissSign request form anyway. As you see, in option -key you specify a slot number (1, if you have one reader, just try different numbers), and the key ID that you got in the instructions above.
After running the command, a file request.csr is generated, that contains some lines between -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----.
Openssl-pkcs11
Just copy the content of file request.csr into the CSR field on SuisseSign's web page, fillout the forms, download the request form, fill it out, sign it and send it to the fullfilment.
Sign Code With SuisseID
After some days, you get a mail containing download link for your certificate from SwissSign. Download it in cer format as certificate.pem.
Something to Sign
You need a windows exe or a dll to test. Simply use my windows cross compilation docker image to generate a windows openssl version in /tmp/test:
Now you have an exe that you can sign in the next step:
Openssl Pkcs11 Engine Slot Kit
Sign a Windows Executable
Use osslsigncode(self-compiled, as explained above) to sign /tmp/test/usr/exe/openssl.exe:
Openssl Pkcs11 Engine
Sources
