Command Summary

Create an RSA Key

p11tool2 slot=$PKCS11_SLOT LoginUser=$PKCS11_PIN PubKeyAttr=CKA_LABEL=$KEY_LABEL PrvKeyAttr=CKA_LABEL=$KEY_LABEL GenerateKeyPair=RSA

Create an ECC Key

p11tool2 slot=$PKCS11_SLOT LoginUser=$PKCS11_PIN PubKeyAttr=CKA_LABEL=$KEY_LABEL PrvKeyAttr=CKA_LABEL=$KEY_LABEL GenerateKeyPair=RSA

Generate a Certificate Signing Request from a key

openssl req -new -key "pkcs11:token=$PKCS11_TOKEN;object=$KEY_LABEL;pin-value=$PKCS11_PIN" [-subj "/CN=.../"] -out test.csr

Generate a certificate from a Certificate Signing Request

openssl req -new -x509 -days 365 -key "pkcs11:token=$PKCS11_TOKEN;object=$KEY_LABEL;pin-value=$PKCS11_PIN" -subj "/CN=.../" -out test.cert

Generate an encrypted message from a file using a certificate

openssl cms -encrypt -in message.txt -out encrypted_message.txt test.cert

Decrypt an encrypted message using a private key

openssl cms -decrypt -in encrypted_message.txt -inkey "pkcs11:token=$PKCS11_TOKEN;object=$KEY_LABEL;pin-value=$PKCS11_PIN" -out decrypted_message.txt

Generate a signed message from a file using a private key

openssl cms -sign -in message.txt -signer test.cert -inkey "pkcs11:token=$PKCS11_TOKEN;object=$KEY_LABEL;pin-value=$PKCS11_PIN" -out signed_message.txt

Verify a signed message using a certificate

openssl cms -verify -noverify -in signed_message.txt -CAfile test.cert -out verified_message.txt

Generate a CA from a private key

openssl req -new -x509 -days 365 -key "pkcs11:token=$PKCS11_TOKEN;object=$KEY_LABEL;pin-value=$PKCS11_PIN" -subj "/CN=.../" -out ca.cer

Sign a Certificate Signing Request using a CA private key

openssl ca -batch -policy policy_anything -cert ca.cer -in request.csr -keyfile "pkcs11:token=$PKCS11_TOKEN;object=$KEY_LABEL;pin-value=$PKCS11_PIN" -out certificate.crt