Breadcrumbs

Generate a Certificate from an Existing Key

  1. Obtain the key label using p11tool2.

›_ Console
Bash
p11tool2 LoginUser=ask ListObjects

  1. Generate a Certificate Signing Request (CSR).

›_ Console
Bash
openssl req -engine pkcs11 -new -key "pkcs11:token=<token_label>;object=<key_label>" -keyform engine -out TestRSACSR.csr

Here, key_label is the key label on the HSM. Provide the Cryptouser PIN and certificate details when prompted.

  1. Create the self-signed certificate based on the generated key.

›_ Console
Bash
openssl req -engine pkcs11 -new -x509 -days 365 -key "pkcs11:token=<token_label>;object=<key_label>" -keyform engine -out Test.cert