Breadcrumbs

Creating a local CA and Performing Cryptographic Operation with OpenSSL

  1. Open the \< OPENSSLDIR>\openssl.cnf file in a text editor and edit the [CA_default] section. Make the following changes

›_ Console

 
[ CA_default ]

dir = C:\\localCA # Where everything is kept

certs = $dir/certs # Where the issued certs are kept

crl_dir = $dir/crl # Where the issued crl are kept

database = C:\\localCA\\index.txt # database index file.

#unique_subject = no # Set to 'no' to allow creation of

# several certs with same subject.

new_certs_dir = C:\\localCA\\newcerts # default place for new

certs.

certificate = $dir/cacert.pem # The CA certificate

serial = C:\\localCA\\serial.txt # The current serial number

crlnumber = $dir/crlnumber # the current crl number

# must be commented out to leave a V1 CRL

crl = $dir/crl.pem # The current CRL

private_key = $dir/private/CertKey.pem# The private key

You can change dir to the directory of your choice, but make sure to use correct path in the subsequent steps.

Here We have created directory C:\localCA and new_certs_dir= $dir\newcerts

  1. Create the text files C:\localCA\index.txt and C:\localCA\serial.txt

  2. Create a directory C:\localCA\newcerts

  3. Open the C:\localCA\serial.txt file and write 01 at the top and click enter. Save the file

  4. Create a key pair using p11tool2 For RSA

›_ Console

 
C:\Program Files\Utimaco\SecurityServer\Administration>p11tool2 slot=0 LoginUser=12345678 PubKeyAttr=CKA_LABEL="CertKey" PrvKeyAttr=CKA_LABEL="CertKey" GenerateKeyPair=RSA

This generates RSA 2048 CA private keys on the HSM

tmpp8phd68d.jpg

Figure 38: Generating RSA Key

For ECC

›_ Console

 
C:\Program Files\Utimaco\SecurityServer\Administration>p11tool2 slot=<slot_no.> LoginUser=12345678 PubKeyAttr=CKA_LABEL="CertKey" PrvKeyAttr=CKA_LABEL="CertKey" GenerateKeyPair=ECC

This generates ECC CA private keys on the HSM

tmp_3s0zjlq.jpg

Figure 39: Generating ECC Key

Once key generation is completed then add CKA_ID for both public and private ECC keys using PKCS11# CryptoServer Administration tool

  1. Verify the key gets generated onto the HSM using following command

›_ Console

 
C:\Program Files\Utimaco\SecurityServer\Administration>p11tool2 slot=0 LoginUser=<slot_PIN> ListObjects
tmpjcmg90hi.jpg

Figure 40: CA RSA Key list

For ECC

tmplfwxqjue.png

Figure 41: ECC Key

  1. Create a CA certificate based on the generated key that is used for signing other certificates

›_ Console

 
C:\OpenSSL-Win64\bin>openssl req -engine pkcs11 -new -x509 -days 365 -key "pkcs11:token=SSLCert;object=CertKey" -keyform engine -out C:\localCA\newcerts\ca.cer
tmpvbcx_u1l.jpg

Figure 42: CA certificate generation output

Where CertKey is the object label for the CA private key on the Utimaco HSM created in Step 5 and SSLCert is token label. Provide Cryptouser PIN when prompted.