Breadcrumbs

Generate Certificate Request for Sender and Receiver

  1. Create a directory to generate the certificate request for sender and receiver

›_ Console

 
# mkdir /localCA/newcerts/sender
# mkdir /localCA/newcerts/receiver

  1. Generate a sender key pair using p11tool2

For RSA

›_ Console

 
# p11tool2 slot=0 LoginUser=123456 PubKeyAttr=CKA_LABEL="SenderKey" PrvKeyAttr=CKA_LABEL="SenderKey" GenerateKeyPair=RSA

For ECDSA

›_ Console

 
# p11tool2 slot=0 LoginUser=123456 PubKeyAttr=CKA_LABEL="SenderKey" PrvKeyAttr=CKA_LABEL="SenderKey" GenerateKeyPair=ECC

Once key generation is completed then add CKA_ID for both public and private ECDSA keys using PKCS11# CryptoServer Administration tool.

  1. Verify that the keys are generated onto the HSM using the following command:

For RSA›_ Console

 
# p11tool2 slot=<Slot_No.> LoginUser=<CryptoUser_PIN> ListObjects
tmpvuka49z3.png

Figure 26: Sender RSA Key list

For ECDSA

tmpoynq1b7d.jpg

Figure 27: Sender ECDSA Key list

  1. Generate a certificate request for sender.

›_ Console

 
# openssl req -engine pkcs11 -new -key "pkcs11:token=OpensslSlot;object=SenderKey" -keyform engine -out /localCA/newcerts/sender/sender.txt
tmpg5nfvdq4.jpg

Figure 28: Sender certificate request generation

Enter the prompted value for "A challenge password" as blank.

Here, OpensslSlot is the token label and SenderKey is the key on the HSM. Provide Cryptouser PIN when prompted.

  1. Sign the certificate request for sender by CA

›_ Console

 
# openssl ca -engine pkcs11 -policy policy_anything -cert /localCA/newcerts/ca.cer -in /localCA/newcerts/sender/sender.txt -keyfile "pkcs11:token=OpensslSlot;object=CAKey" -keyform engine -out/localCA/newcerts/sender/SenderSignedCertificate.cert
tmpl_0qwvaf.jpg

Figure 29: Sender certificate request signing by CA

Press y to sign and y again to commit.

Here, OpensslSlot is the token label and CAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

  1. Generate key pair for receiver using p11tool2

For RSA

›_ Console

 
./p11tool2 slot=0 LoginUser=123456 PubKeyAttr=CKA_LABEL="ReceiverKey" PrvKeyAttr=CKA_LABEL="ReceiverKey" GenerateKeyPair=RSA

For ECDSA

›_ Console

 
./p11tool2 slot=0 LoginUser=123456 PubKeyAttr=CKA_LABEL="ReceiverKey" PrvKeyAttr=CKA_LABEL="ReceiverKey",CKA_DERIVE=CK_TRUE GenerateKeyPair=ECC

Once key generation is completed then add CKA_ID for both public and private ECDSA keys using PKCS11# CryptoServer Administration tool.

Also, make sure to set CKA_DERIVE=CK_TRUE in the above command

  1. Verify that key pair is generated onto the HSM using the following command:

›_ Console

 
# p11tool2 slot=<Slot_No.> LoginUser=<CryptoUser_PIN> ListObjects

For RSA

tmpiy_vr6ry.png

Figure 30: Receiver RSA Key list

For ECDSA

tmpyciasyou.png

Figure 31: Receiver ECDSA Key list

  1. Generate a certificate request for receiver.

›_ Console

 
# openssl req -engine pkcs11 -new -key "pkcs11:token=OpensslSlot;object=ReceiverKey" -keyform engine -out/localCA/newcerts/receiver/Receiver.txt
tmpc10q07gt.jpg

Figure 32: Receiver certificate request generation

Enter prompted value for "A challenge password" as blank.

Here, OpensslSlot is the token label and ReceiverKey is the key on the HSM. Provide Cryptouser PIN when prompted.

  1. Sign the certificate request for receiver by CA

›_ Console

 
# openssl ca -engine pkcs11 -policy policy_anything -cert /localCA/newcerts/ca.cer -in /localCA/newcerts/receiver/Receiver.txt - keyfile "pkcs11:token=OpensslSlot;object=CAKey" -keyform engine -out/localCA/newcerts/receiver/ReceiverSignedCertificate.cert
tmp4syyobei.jpg

Figure 33: Receiver certificate request signing by CA

Press y to sign and y again to commit.

Here, OpensslSlot is the token label and CAKey is the key on the HSM. Provide Cryptouser PIN when prompted.