Generate Certificate Request for Sender and Receiver (Linux)

Create a directory to generate the certificate request for sender and receiver

›_ Console

# mkdir /localCA/newcerts/sender

# mkdir /localCA/newcerts/receiver

Generate a sender key pair using p11tool2 For RSA

›_ Console

# p11tool2 slot=2 LoginUser=123456 PubKeyAttr=CKA_LABEL=”SenderKey” PrvKeyAttr=CKA_LABEL=”SenderKey” GenerateKeyPair=RSA

For ECC

›_ Console

# p11tool2 slot=2 LoginUser=123456 PubKeyAttr=CKA_LABEL=”SenderKey” PrvKeyAttr=CKA_LABEL=”SenderKey” GenerateKeyPair=ECC

Once key generation is completed then add CKA_ID for both public and private ECC keys using PKCS11# CryptoServer Administration tool.

Verify that the keys are generated onto the HSM using following command. For ECC

Figure 23: CA certificate generation output Sender ECC Key List

For RSA

›_ Console

# p11tool2 slot=<Slot_No.> LoginUser=<CryptoUser_PIN> ListObjects

Figure 24: Sender RSA Key list

Generate a certificate request for sender.

›_ Console

# openssl req -engine pkcs11 -new -key "pkcs11:token=SSLCert1;object=SenderKey" -keyform engine -out

/localCA/newcerts/sender/sender.txt

Figure 25: Sender certificate request generation

Enter the prompted value for "A challenge password" as blank.

Here SSLCert1 is the token label and SenderKey is the key on the HSM. Provide Cryptouser PIN when prompted.

Sign the certificate request for sender by CA

›_ Console

# openssl ca -engine pkcs11 -policy policy_anything -cert

/localCA/newcerts/ca.cer -in /localCA/newcerts/sender/sender.txt -keyfile "pkcs11:token=SSLCert1;object=CAKey" -keyform engine -out

/localCA/newcerts/sender/SenderSignedCertificate.cert

Figure 26: Sender certificate request signing by CA

Press y to sign and y again to commit.

Here SSLCert1 is the token label and CAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

Generate key pair for receiver using p11tool2

For receiver only RSA keys are generated. OpenSSL 3 does not support encryption and decryption with ECC key.

For RSA

›_ Console

./p11tool2 slot=<Slot_No.> LoginUser=123456 PubKeyAttr=CKA_LABEL="ReceiverKey" PrvKeyAttr=CKA_LABEL="ReceiverKey" GenerateKeyPair=RSA

Verify that key pair is generated onto the HSM using following command.

›_ Console

# p11tool2 slot=<Slot_No.> LoginUser=<CryptoUser_PIN> ListObjects

For RSA

Figure 27: Receiver RSA Key list

Generate a certificate request for receiver

›_ Console

# openssl req -engine pkcs11 -new -key "pkcs11:token=SSLCert1;object=ReceiverKey" -keyform engine -out

/localCA/newcerts/receiver/Receiver.txt

Figure 28: Receiver certificate request generation

Enter prompted value for "A challenge password" as blank.

Here SSLCert1 is the token label and ReceiverKey is the key on the HSM. Provide Cryptouser PIN when prompted.

Sign the certificate request for receiver by CA

›_ Console

# openssl ca -engine pkcs11 -policy policy_anything -cert

/localCA/newcerts/ca.cer -in /localCA/newcerts/receiver/Receiver.txt - keyfile "pkcs11:token=SSLCert1;object=CAKey" -keyform engine -out

/localCA/newcerts/receiver/ReceiverSignedCertificate.cert

Figure 29: Receiver certificate request signing by CA

Press y to sign and y again to commit.

Here SSLCert1 is the token label and CAKey is the key on the HSM. Provide Cryptouser PIN when prompted.