OpenSSL CLI

The examples below are using the openssl command, using customized configuration for Primus HSM PKCS#11 provider as shown above. HSM partition is mounted as slot 0. For your requests you probably have to adapt the openssl configuration file or define all your CSR parameters on the command line.

Generating Key Pair and Certificate Signing Request (CSR) and Import Certificate

This chapter describes how to generate a keypair using pkcs11-tool, generating a CSR using openssl and importing the certificate using pkcs11-tool (you cannot create an RSA key inside the HSM with genrsa/genpkey).

RSA Key Pair, CSR and Certificate Import

Generating a new key pair using pkcs11-tool: 2048-bit RSA, CKA_SENSITIVE set, using slot 0:

pkcs11-tool --module /usr/local/primus/lib/libprimusP11.so --slot=0 \
	--login --pin <PKCS\#11 PIN> --keypairgen --key-type RSA:2048 \
	--id 1001 --label myrsakey --sensitive

Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; RSA 
 label: myrsakey
 ID: 1001
 Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
 label: myrsakey
 ID: 1001
 Usage: encrypt, verify, wrap

Generate the CSR interactively, using OpenSSL by referencing the key ID on the HSM by the key ID:

openssl req -engine pkcs11 -new \
	-key "pkcs11:token=<partition-name>;id=%10%01;type=private" \
	-keyform engine -out rsa.hsm.csr -sha256 -verify

engine "pkcs11" set.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CH
State or Province Name (full name) []:ZH
Locality Name (eg, city) [Default City]:Zuerich
Organization Name (eg, company) [Default Company Ltd]:Securosys SA
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:cos8.securosys.ch
Email Address []:cos8@securosys.ch
...
verify OK

Alternatively, you can issue a self signed certificate using OpenSSL:

openssl req -engine pkcs11 -new -x509 \
	-key "pkcs11:token=<partition-name>;id=%10%01;type=private" \
	-keyform engine -out rsa.hsm.crt -sha256 -days 365 -nodes

If required, import the signed certificate rsa.hsm.crt (DER format), using pkcs-11 tool:

pkcs11-tool --module /usr/local/primus/lib/libprimusP11.so -l \
	-p <PKCS\#11 PIN> --slot 0 --write-object rsa.hsm.crt \
	--type cert --id 1001 --label myrsakey

Using slot with ID 0x0
Created certificate:
Certificate Object; type = X.509 cert
 label: myrsakey
 subject: DN: C=CH, O=Securosys SA, OU=IT, CN=cos8.securosys.ch
 ID: 1001

EC Key Pair, CSR and Certificate Import

Generating a new key pair using pkcs11-tool: Elliptic Curve secp384r1, using slot 0:

pkcs11-tool --module /usr/local/primus/lib/libprimusP11.so \
	-slot=0 --login --pin <PKCS\#11 PIN> --keypairgen \
	--key-type EC:secp384r1 --id 1002 --label myeckey

Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; EC
 label: myeckey
 ID: 1002
 Usage: sign, derive
Public Key Object; EC EC_POINT 384 bits
 EC_POINT: 
046104fb05c1978b6d700e4adb629f81194f5a9c4a06ba4ffe50c41c9165630021fbecd5e91a72db8e48f5d0
5c81a8dd5d55eca1722587f1f13b9fc4e622eb54b07a15d18f77d774326c3f35abe69ca3a7de53a8e92e2cf2
c44e1a9a34f52fdbacf71b
 EC_PARAMS: 06052b81040022
 label: myeckey
 ID: 1002
 Usage: verify, derive

Generate the CSR interactively, using OpenSSL by referencing the key on the HSM by the key Label (id_<id-number>) or label:

openssl req -engine pkcs11 -new \
	-key "pkcs11:token=<partition-name>;object=myeckey;type=private" \
	-keyform engine -out ec.hsm.csr -sha384 -verify

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CH
$State or Province Name (full name) []:ZH
Locality Name (eg, city) [Default City]:Zuerich
Organization Name (eg, company) [Default Company Ltd]:Securosys SA
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:cos8.securosys.ch
Email Address []:cos8@securosys.ch
...
verify OK

Alternatively, you can issue a self signed certificate using OpenSSL:

openssl req -engine pkcs11 -new -x509 \
	-key "pkcs11:token=<partition-name>;object=myeckey;type=private" \
	-keyform engine -out ec.hsm.crt -sha384 -days 365 -nodes

If required, import the signed certificate ec.hsm.cer (DER format), using pkcs-11 tool:

pkcs11-tool --module /usr/local/primus/lib/libprimusP11.so -l \
	-p <PKCS\#11 PIN> --slot 0 --write-object ec.hsm.crt \
	--type cert --id 1002 --label myeckey

OpenSSL CLI

Generating Key Pair and Certificate Signing Request (CSR) and Import Certificate​

RSA Key Pair, CSR and Certificate Import​

EC Key Pair, CSR and Certificate Import​

Generating Key Pair and Certificate Signing Request (CSR) and Import Certificate

RSA Key Pair, CSR and Certificate Import

EC Key Pair, CSR and Certificate Import