Pkcs11 Tool Generate Key Pair
Proof-of-concept of using an HSM to generate and store key pairs, then using those key pairs to create a CA certificate, client certificate and server certificate for TLS.
- Linux
- The
openssllibrary softhsm, or any other PKCS#11 library.
Pkcs11 Tool Generate Key Pair Chart
Build the project
If using softhsm, clean all existing softhsm slots.
where
~/softhsmis the value ofdirectories.tokendirin/etc/softhsm2.confSet env vars for the PKCS#11 library path, and for the PKCS#11 Spy path if you want to use it.
Initialize three slots.
If you already have an initialized slot in your HSM, set:
TOKENto the token label of the slotUSER_PINto the user PIN of the slotLABEL_{1,2,3}to the values of the object labels that will be used for the three generated key pairs.
Otherwise, initialize them here:
For softhsm, use
softhsm2-utilorpkcs11-tool. Eg:For TPM 2.0 TPMs, use
tpm2_ptoolor any other tool that uses TSS. Eg:
Generate a key pair in each of the two slots.
Possible values for
--typeare listed in the output ofcargo run -- generate-key-pair --helpEach invocation of
generate-key-pairwill print the public key parameters of the newly generated key - modulus and exponent for RSA, curve name and point for EC.Verify the key pairs.
This should print the same key parameters that
generate-key-pairinvocations in the previous step did.Generate certificates using the key pairs
This uses the first key pair to generate a CA cert (self-signed), the second key pair to generate a server cert (signed by the CA cert), and the third key pair to generate a client cert (also signed by the CA cert).
Start a webserver using the server cert.
The web server runs on port 8443 by default. Use
--portto use a different value.Verify the cert served by the web server.
This should show the cert chain and have no errors (apart from a verification error because the CA cert is untrusted).
This should successfully show
curlcompleting a TLS handshake and receivingHello, world!from the web server.Use a webclient using the client cert for TLS client auth to connect to the webserver.
This should successfully show the client completing a TLS handshake and receiving
Hello, world!from the web server. The client will print the cert chain it received from the server. The server will also print the client cert chain it received from the client.
TPM 2.0 hardware currently does not have a fully-functional PKCS#11 implementation. There is tpm2-pkcs11 but it is not yet feature-complete, and does not work on all hardware.
About SSH and Smart Card support (RHEL 7). Creation of new RSA key pair is quite easy using pkcs11-tool. You need only one command to do so. Generate RSA key pair. Generate a new key pair (public and private pair.) -write-object id, -w path Write a key or certificate object to the token. Causes pkcs11-tool to be more verbose. Keytool automatically generates a self-signed certificate when it generates a key entry, whereas PKCS#11 allows to create a key pair without a corresponding certificate. The Java keystore API simply ignores key pair entries without a certificate. That's why keytool -list. Does not show the entry when it was created with pkcs11-tool. Satisfying Putty-CAC by creating a certificate from our key pair Failing on Windows. The PKCS#15 tools we used to generate a key pair are able to store a certificate, but cannot create one. This is a job more suited for OpenSSL. OpenSSL commands to do that are not very user-friendly, but are relatively well documented.
Here are some notes of how to use this demo with a TPM:
Your hardware may not work with the latest version of
tpm2-pkcs11, so you may need a specific older version. You may also need specific older versions oftpm2-abrmd,tpm2-tssandtpm2-tools. Consult your hardware manufacturer.Make sure to initialize the
tpm2-pkcs11store first: Acronis disk director 12 key generator.If using a custom store path (
--path <>), make sure the path is writable by your user.tpm2-pkcs11only supports RSA 2048-bit keys and ECDSA P-256 keys.
Pkcs11 Tool Generate Key Pair Number
MIT