Breadcrumbs

Creating a Local CA

  1. Open the /<OPENSSLDIR>/openssl.cnf file in the text editor and edit the [CA_default] section to following:

openssl.cnf

 
dir = /localCA
new_certs_dir = $dir/newcerts

You can change dir to the directory of your choice, but make sure to use the correct path in the subsequent steps. Here, we have created directory /localCA under the root directory, and new_certs_dir = $dir/newcerts.

  1. Create the directory /localCA/newcerts.

›_ Console

 
mkdir /localCA/newcerts

  1. Create the text files /localCA/index.txt and /localCA/serial.

›_ Console

 
touch /localCA/index.txt
echo "01" > /localCA/serial

  1. Create a key pair by using qptool2 for root CA.

›_ Console

 
./bin/qptool2 -lib "/opt/utimaco/lib/libcs_pkcs11_R3.so" -s SLOT_ID -p PIN -token -mldsa -keytype 2 -label KEY_LABEL -gen -count 1

  1. Verify that the keys are generated onto the HSM using the following command:

›_ Console

 
/opt/utimaco/bin/p11tool2 slot=SLOT_ID LoginUser=ask ListObjects
Enter normal user PIN:
CKO_PUBLIC_KEY:
+ 1.1
  CKA_KEY_TYPE                   = CKK_VENDOR_DEFINED
  CKA_UNIQUE_ID                  = C3B21F47-56D3-4433-95C9-41793210D5E8
  CKA_LABEL                      = MLDSA_2_key
  CKA_ID                         = 0x3030 (00)
CKO_PRIVATE_KEY:
+ 2.1
  CKA_KEY_TYPE                   = CKK_VENDOR_DEFINED
  CKA_UNIQUE_ID                  = 056E1AC8-E31A-464F-9336-95C220287A97
  CKA_SENSITIVE                  = CK_TRUE
  CKA_EXTRACTABLE                = CK_FALSE
  CKA_LABEL                      = MLDSA_2_key
  CKA_ID                         = 0x3030 (00)

  1. Create the CA certificate based on the generated key that is used for signing other certificates by running the below command.

›_ Console

 
openssl req -new -x509 -days 365 -key "pkcs11:token=TOKEN_NAME;object=KEY_LABEL;type=private" -out /localCA/newcerts/ca.cer

Here, CAKey is the Object label for the CA private key on the Utimaco HSM created in Step 5 and, <token_name> is the token label. Provide CryptoUser PIN when prompted.

  1. A certificate request can be signed by the CA using the following command.

›_ Console

 
openssl ca -policy policy_anything -cert /localCA/newcerts/ca.cer -in /localCA/newcerts/request.csr -keyfile "pkcs11:token=<token_label>;object=<key_label>" -out /localCA/newcerts/certificate.crt