Breadcrumbs

Generate Keys and Certificate for SSL

  1. Generate the RSA key-pair using p11tool2.

›_ Console

# p11tool2 slot=<slot_no> LoginUser=<cryptouser_password>

PubKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45

PrvKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45 GenerateKeyPair=RSA

  1. Verify that the keys are generated onto the HSM using following command.

›_ Console

# p11tool2 slot=<slot_no> LoginUser=<cryptouser_password> ListObjects

tmpaamtxxa9.jpg

List objects output

  1. Generate a certificate request.

›_ Console

# openssl req -engine pkcs11 -new -key "pkcs11:token=apache;object=RSAKey" -keyform engine -out apache.csr

Here apache is the token label and RSAKey is the key on the HSM. Provide Cryptouser PIN when prompted. apache.csr is the certificate signing request file. Also provide other required information for certificate when prompted.

tmpm3tyzwfu.jpg

Generate CSR certificate output

  1. Get this CSR signed by your CA and copy the signed certificate to Apache server.

  2. Alternatively, you can create the self-signed certificate based on the generated key.

›_ Console

# openssl req -engine pkcs11 -new -x509 -days 365 -key

"pkcs11:token=apache;object=RSAKey" -keyform engine -out SSL.cert

Here apache is the token label and RSAKey is the key on the HSM. Provide Cryptouser PIN when prompted. Also provide other required information for certificate when prompted.

tmpy30kr35d.jpg

Generate self-signed certificate output


tmpcxub2xws.jpg

Certificate file output

It is recommended to use CA signed certificate for production environment.