.. hsm2-openssl-yubihsm2.rst .. _hsm2-openssl-yubihsm2-label: ============================================================= OpenSSL with YubiHSM 2 via engine_pkcs11 and yubihsm_pkcs11 ============================================================= Install ``engine_pkcs11`` and ``pkcs11-tool`` from OpenSC before proceeding. Depending on your operating system and configuration you may have to install `libp11 `_ as well. If you are on macOS you will have to `symlink pkg-config `_ in order to do so. OpenSSL requires engine settings in the ``openssl.cnf`` file. Some OpenSSL commands allow specifying ``-conf ossl.conf`` and some do not. Setting the environment variable ``OPENSSL_CONF`` always works, but be aware that sometimes the default ``openssl.cnf`` contains entries that are needed by commands like ``openssl req``. In other words, you may have to add the engine entries to your default OpenSSL config file (``openssl.cnf`` in the directory shown by ``openssl version -d``) or add other requirements for your OpenSSL command into the config file. It is suggested that you create a separate config file for interactions with the HSM in order to prevent conflicts with previous settings or defaults. Example: Creating an Alias =========================== An alias can be created to easily read from a dedicated config file and ensure compatibility across systems .. code-block:: bash alias yubissl='OPENSSL_CONF=/path/to/yubihsm.conf openssl' Example: Generating a Key in the Device ======================================== Here is an example of generating a key in the device, creating a self-signed certificate and then signing a CSR with it: .. code-block:: bash $ pkcs11-tool --module /path/to/yubihsm_pkcs11.so --login --pin 0001password --keypairgen --key-type rsa:2048 --label "my_key" --usage-sign Using slot 0 with a present token (0x0) Logging in to "YubiHSM". Please enter User PIN: Key pair generated: Private Key Object; RSA label: my_key ID: 04ec Usage: sign Public Key Object; RSA 2048 bits label: my_key ID: 04ec Usage: none $ openssl req -new -x509 -days 365 -subj '/CN=my key/' -sha256 -config engine.conf -engine pkcs11 -keyform engine -key slot_0-label_my_key -out cert.pem engine "pkcs11" set. PKCS#11 token PIN: $ OPENSSL_CONF=engine.conf openssl x509 -req -CAkeyform engine -engine pkcs11 -in req.csr -CA cert.pem -CAkey slot_0-label_my_key -set_serial 1 -sha256 engine "pkcs11" set. Signature ok subject=/CN=test Getting CA Private Key PKCS#11 token PIN: -----BEGIN CERTIFICATE----- MIICkzCCAXsCAQEwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAwwGbXkga2V5MB4X DTE3MDQyNDA3Mzc1MFoXDTE3MDUyNDA3Mzc1MFowDjEMMAoGA1UEAwwDZm9vMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqBARJLAIjSqKk2OuRWrs91EC MYjjZhxJE8IAMIiDDM2wSuQhB7A2CVW+/d1SG0k5cTEiasDBHbH9Bc2w+xn0l3Dh 8cXafvcFkjcNabHesrbcwRgItugw7PWBtyopWDtDhVWKS1zkpDO8iKjwiYciweaP 96nEHlQPPRUp7bf3IE7RTXENAqJai6QIYBZOrzHM9NrIz/6YaR2ua7SY7V/B3xaJ 7KsiQ8oHWuf+RDNkJOhbD+1fgeMtN8x+W4XYnCPQPjJ/MfjuHJ2n5EM3Vb/plh9H uT+D56ozIk41FeXgC4gNu8fIv2KE1XBMuJCGRbyh5xk0dkQdvKxtVEfiDcwxBwID AQABMA0GCSqGSIb3DQEBCwUAA4IBAQCHyskEU84T/YGhcjlpsdmobtyNhWc2ae/x fmQpY/XGzQkSmUZJA+Z04JMUbli7UKEOItmqSlU6j0BPy03UjavNHdDPYcUZIS28 fPtzTkU3FdEBM/zkPXStBCo9+N34l4qSdir9hFWM1/CpkfP8PhteUQAqImXjbDVh qhrfOg+kY3dAz91kLLXuA4YfuC+eEJh0JGuXCivhGre5LL9njrajHnJ+HSt6HHjC R4U27/hzoK3r12XE5NjznjcaKk1AKFXZE92nqG/WYliyLpNNSrN+AmEKrPOHb8My ZJlaGAfm3K9vLEjwrLQSAIKpMdpUcNE7Ay+EsEYTQpy43VvwI8vL -----END CERTIFICATE----- Example: Certificate Request ============================ For these examples, we assume you have all defaults and the engine config below in ``engine.conf``. This is an example of how to do the latter in the certificate request example below. .. code-block:: bash $ cat > engine.conf <