Breadcrumbs

Generate Certificate Request for Sender and Receiver (Windows)

  1. Create a directory to generate the certificate request for sender and receiver

›_ Console

 
# mkdir C:\localCA\newcerts\sender

# mkdir C:\localCA\newcerts\receiver

  1. Generate a sender key using p11tool2 For RSA

›_ Console

 
C:\Program Files\Utimaco\SecurityServer\Administration>p11tool2 slot=0 LoginUser=12345678 PubKeyAttr=CKA_LABEL="SenderKey" PrvKeyAttr=CKA_LABEL="SenderKey" GenerateKeyPair=RSA

For ECC

›_ Console

 
C:\Program Files\Utimaco\SecurityServer\Administration>p11tool2 slot=4 LoginUser=12345678 PubKeyAttr=CKA_LABEL="SenderKey" PrvKeyAttr=CKA_LABEL="SenderKey" GenerateKeyPair=ECC
tmpnmja_xpw.jpg

Figure 43: Generate ECC key for Sender

Once key generation is completed then add CKA_ID for both public and private ECC keys using PKCS11# CryptoServer Administration tool

Verify the ECC key

tmpdqck1fp4.png
tmpay4_v7hm.png

Figure 44: List Sender ECC Key

  1. Generate a certificate request for sender

›_ Console

 
C:\OpenSSL-Win64\bin>openssl req -engine pkcs11 -new -key "pkcs11:token=SSLCert;object=SenderKey" -keyform engine -out C:\localCA\newcerts\sender\senderNew.txt
tmpht77dlgc.jpg

Figure 45: Sender certificate request generation output

Enter the prompted value for "A challenge password" as blank.

Here SSLCert is the token label and SenderKey is the key on the HSM. Provide Cryptouser PIN when prompted.

  1. Sign the certificate request for Sender by CA

›_ Console

 
C:\OpenSSL-Win64\bin>openssl ca -engine pkcs11 -policy policy_anything - cert C:\localCA\newcerts\ca.cer -in C:\localCA\newcerts\sender\senderNew.txt -keyfile "pkcs11:token=SSLCert;object=CertKey" -keyform engine -out C:\localCA\newcerts\sender\SenderSignedCertificate.cer
tmp3jsz2hbz.jpg

Figure 46: Sender certificate request signing by CA

Press y to sign and y again to commit.

Here SSLCert is the token label and CertKey is the key on the HSM. Provide Cryptouser PIN when prompted.

  1. Generate key for receiver using p11tool2 for RSA

›_ Console

 
C:\Program Files\Utimaco\SecurityServer\Administration>

p11tool2 slot=0 LoginUser=12345678 PubKeyAttr=CKA_LABEL="ReceiverKey" PrvKeyAttr=CKA_LABEL="ReceiverKey" GenerateKeyPair=RSA
tmp6nnujliv.jpg
tmpk7cdptmj.jpg

Figure 47: List Receiver key output

For receiver only RSA keys are generated. OpenSSL 3 does not support encryption and decryption with ECC key.

  1. Generate a certificate request for receiver using RSA key

›_ Console

 
C:\OpenSSL-Win64\bin>openssl req -engine pkcs11 -new -key "pkcs11:token=SSLCert;object=ReceiverKey" -keyform engine -out C:\localCA\newcerts\receiver\ReceiverNew.txt
tmplrdc3duo.jpg

Figure 48: Receiver certificate request generation output

Here SSLCert is the token label and ReceiverKey is the key on the HSM. Provide Cryptouser PIN when prompted.

  1. Sign the certificate request for receiver by CA

›_ Console

 
C:\OpenSSL-Win64\bin>openssl ca -engine pkcs11 -policy policy_anything - cert C:\localCA\newcerts\ca.cer -in C:\localCA\newcerts\receiver\ReceiverNew.txt -keyfile "pkcs11:token=SSLCert;object=CertKey" -keyform engine -out C:\localCA\newcerts\receiver\receiverNew.cer
tmpv6s1aiel.jpg

Figure 49: Receiver certificate request signing by CA

Press y to sign and y again to commit.

Here SSLCert is the token label and CertKey is the key on the HSM. Provide Cryptouser PIN when prompted.