Breadcrumbs

Creating a Local CA

  1. Open the /<OPENSSLDIR>/openssl.cnf file in the text editor and edit the [CA_default] section to following:

openssl.cnf

 
dir = /localCA
new_certs_dir = $dir/newcerts

You can change dir to the directory of your choice, but make sure to use the correct path in the subsequent steps. Here, we have created directory /localCA under the root directory, and new_certs_dir = $dir/newcerts.

  1. Create the directory /localCA/newcerts.

›_ Console

 
mkdir /localCA/newcerts

  1. Create the text files /localCA/index.txt and /localCA/serial.

›_ Console

 
touch /localCA/index.txt
echo "01" > /localCA/serial

  1. Create a key pair by using p11tool2 for root CA.

›_ Console
Bash
# For RSA
p11tool2 slot=<SLOT_NUMBER> LoginUser=ask PubKeyAttr=CKA_LABEL="CAKey" PrvKeyAttr=CKA_LABEL="CAKey" GenerateKeyPair=RSA
# This generates RSA 2048 CA private and public keys on the HSM
# For ECC
p11tool2 slot=<SLOT_NUMBER> LoginUser=ask PubKeyAttr=CKA_LABEL="CAKey" PrvKeyAttr=CKA_LABEL="CAKey" GenerateKeyPair=ECC
# This generates ECC CA private and public keys on the HSM

  1. Verify that the keys are generated onto the HSM using the following command:

›_ Console
Bash
p11tool2 Slot=<SLOT_NUMBER> LoginUser=ask ListObjects
CKO_PUBLIC_KEY:

+ 1.1
  CKA_KEY_TYPE                   = CKK_RSA
  CKA_UNIQUE_ID                  = C92DB9A3-9D2C-4DB7-B217-EDC44BB5966C
  CKA_LABEL                      = CAKey
  CKA_ID                         = 

+ 1.2
  CKA_KEY_TYPE                   = CKK_ECDSA
  CKA_UNIQUE_ID                  = 3B4C290B-46FE-4F66-8E95-C7771A112A45
  CKA_LABEL                      = CAKeyECC
  CKA_ID                         = 


CKO_PRIVATE_KEY:

+ 2.1
  CKA_KEY_TYPE                   = CKK_RSA
  CKA_UNIQUE_ID                  = 02F66F14-0BB7-45B9-9100-74CDF5F71F46
  CKA_SENSITIVE                  = CK_TRUE
  CKA_EXTRACTABLE                = CK_FALSE
  CKA_LABEL                      = CAKey
  CKA_ID                         = 


+ 2.2
  CKA_KEY_TYPE                   = CKK_ECDSA
  CKA_UNIQUE_ID                  = 6153C311-91E7-4CA5-875A-8CC43DF36732
  CKA_SENSITIVE                  = CK_TRUE
  CKA_EXTRACTABLE                = CK_FALSE
  CKA_LABEL                      = CAKeyECC
  CKA_ID                         =

  1. Create the CA certificate based on the generated key that is used for signing other certificates by running the command below.

›_ Console
Bash
openssl req -new -x509 -days 365 -key “pkcs11:token=<token_name>;object=CAKey” -out /localCA/newcerts/ca.cer

Here, CAKey is the Object label for the CA private key on the Utimaco HSM created in Step 5, and <token_name> is the token label. Provide the CryptoUser PIN when prompted.