Sign a Certificate using the Local CA | Utimaco Integration Guides

Generate a key pair using p11tool2.

›_ Console

Bash

# For RSA
p11tool2 slot=<slot_No.> LoginUser=ask PubKeyAttr=CKA_LABEL="<key_label>" PrvKeyAttr=CKA_LABEL="<key_label>" GenerateKeyPair=RSA
# This generates RSA 2048 private and public keys on the HSM
# For ECC
p11tool2 slot=<slot_No.> LoginUser=ask PubKeyAttr=CKA_LABEL="<key_label>" PrvKeyAttr=CKA_LABEL="<key_label>" GenerateKeyPair=ECC
# This generates ECC private and public keys on the HSM

Generate a certificate request.

›_ Console

Bash

openssl req -new -key "pkcs11:token=<token_label>;object=<key_label>" -out /localCA/newcerts/request.csr

Sign the certificate request for sender by CA.

›_ Console

Bash

openssl ca -policy policy_anything -cert /localCA/newcerts/ca.cer -in /localCA/newcerts/request.csr -keyfile "pkcs11:token=<token_label>;object=<key_label>" -out /localCA/newcerts/certificate.crt