Generating Key and Certificate for GnuPG

1. Generate the key pair using below p11tool2 command

# p11tool2 Slot=21 LoginUser=123456 

PubKeyAttr=CKA_LABEL="GPGPublicKey",CKA_ID=0x45 

PrvKeyAttr=CKA_LABEL="GPGPrivateKey",CKA_ID=0x45 GenerateKeyPair=RSA 

2. Verify that the keys are generated

# p11tool2 Slot=21 LoginUser=123456 ListObjects 

Listing keys on HSM slot

3. Install opensc and openssl-pcs11

# dnf install opensc openssl-pkcs11 

4. Open openssl shell and load the dynamic engine

# openssl  

OpenSSL> engine  dynamic -pre SO_PATH:/usr/lib64/engines-1.1/pkcs11.so pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/opt/utimaco/lib/libcs_pkcs11_R3.so

Loading dynamic engine in openssl

5. Run the following command to generate a self-signed certificate. Provide slot PIN when prompted.

OpenSSL> req -x509 -engine pkcs11 -keyform engine -new -key 

"pkcs11:token=gpgslot;object=GPGPrivateKey" -sha256 -out gpgcert.pem -subj "/CN=test.utimaco.com" 

Generating self-signed certificate

Here gpgslot is the token label and GPGPrivateKey is the key on the Utimaco HSM.

After this a certificate gpgcert.pem is generated.

Type exit to exit from openssl prompt

6. Convert the certificate from pem to der

# openssl x509 -outform der -in gpgcert.pem -out gpgcert.der 

7. Import the certificate to Utimaco HSM

# pkcs11-tool --module /opt/utimaco/lib/libcs_pkcs11_R3.so -l --writeobject gpgcert.der --type cert --token-label gpgslot --id 45 --label "GPGCert" 

Importing certificate to Utimaco HSM

Here gpgslot is the token label, 45 is the CKA_ID of the private key on the HSM and gpgcert.der is the certificate name.

8. Verify that the certificate has been imported to Utimaco HSM

# p11tool2 slot=21 LoginUser=123456 ListObjects 

Listing keys and certificate on HSM slot